Chapter 7: Network Security

Chapter goals:
understand principles of network security:

Chapter 7

cryptography and its many uses beyond

confidentiality
authentication
message integrity

Network Security

security in practice:
firewalls
security in application, transport, network, link layers
see ref books (not covered in class)

Note: Some figures in this slides are taken from the book Computer Networking by Kurose and Ross

ECE/CSC 570, Fall 2014

What is network security?

Outline

Confidentiality: only sender, intended receiver should

understand message contents
sender encrypts message
receiver decrypts message

Encryption Algorithms: Cryptography

Authentication: sender, receiver want to confirm identity

of each other

Authentication Protocols
Key Distribution
Firewalls

symmetric key vs. public key

Message Integrity Protocols

Digital signature

Message integrity: sender, receiver want to ensure

message not altered (in transit, or afterwards) without
detection
Access and availability: services must be accessible
and available to users
3

ECE/CSC 570, Fall 2014

ECE/CSC 570, Fall 2014

Who might Bob, Alice be?

Friends and enemies: Alice, Bob, Trudy

Well-known in network security world
Bob, Alice (lovers!) want to communicate securely

well, real-life Bobs and Alices!

Web browser/server for electronic transactions
(e.g., on-line purchases)
on-line banking client/server
DNS servers
routers exchanging routing table updates
other examples?

Trudy (intruder) may intercept, delete, add messages

Alice

channel data, control

Bob

messages

data

secure
sender

secure
receiver

data

Trudy

ECE/CSC 570, Fall 2014

ECE/CSC 570, Fall 2014

There are bad guys (and girls) out there!

The language of cryptography (general)

Q: What can a bad guy do?

A: a lot!

Alices

plaintext

B key

encryption
algorithm

ciphertext

decryption plaintext
algorithm

symmetric key crypto: sender, receiver keys identical, i.e., KA = KB = K

public-key crypto: encryption key public, decryption key secret
(private)

more on this later

ECE/CSC 570, Fall 2014

K decryption

key

eavesdrop: intercept messages

actively insert messages into connection
impersonation: can fake (spoof) source address in
packet (or any field in packet)
hijacking: take over ongoing connection by
removing sender or receiver, inserting himself in
place
denial of service: prevent service from being used
by others (e.g., by overloading resources)

Bobs

K encryption
A

ECE/CSC 570, Fall 2014

The encryption model

(for a symmetric-key cipher)

The encryption model

(for a symmetric-key cipher) (2)
C = EK(P): Encryption of the plaintext P using
key K
ciphertext C
P = DK(C): decryption of C
DK(EK(P)) = P
Kerchhoffs principle: All algorithms must be
public; only the keys are secret.

ECE/CSC 570, Fall 2014

10

Transposition Ciphers

Substitution Ciphers

A transposition cipher

substitution cipher: substituting one thing for another

Reorder the letters but do not disguise them

monoalphabetic cipher: substitute one letter for another

plaintext:

abcdefghijklmnopqrstuvwxyz

ciphertext:

mnbvcxzasdfghjklpoiuytrewq

ECE/CSC 570, Fall 2014

Key: MEGABUCK

E.g.: plaintext: bob. i love you. alice

ciphertext: nkn. s gktc wky. mgsbc
Key is a known substitution pattern in mono-alphabetic
substitution cipher
Q: how do Bob and Alice agree on key value in the first place ?
Problem?
11

ECE/CSC 570, Fall 2014

Read out by columns

12

ECE/CSC 570, Fall 2014

One-Time Pads
Message 1: I love you. in 7-bit ASCII

Pad 1 = Pad 2 ?

Fundamental principles
Redundancy: Messages must contain some
redundancy
Freshness: Some method is needed to foil replay
attacks
The algorithm should be public, only the key
should be secret.

XORed with pad

The use of a one-time pad for encryption and the

possibility of getting any possible plaintext from
the ciphertext by the use of some other pad.

Problem?: 1. the key cannot be memorized

2. the total amount of data that can be transmitted is limited by the
amount of key available.
13

ECE/CSC 570, Fall 2014

ECE/CSC 570, Fall 2014

14

Symmetric-Key Algorithms

Product Ciphers

DES The Data Encryption Standard

AES The Advanced Encryption Standard
Cipher Modes
Symmetric Key Algorithm: Use same key for
encryption and decryption

Basic elements of product ciphers.

(a)

P-box. Permutation

S-box. Substitution
(c) Product cipher box. k inputs to k outputs.
(b)

15

ECE/CSC 570, Fall 2014

16

ECE/CSC 570, Fall 2014

Data Encryption Standard

DES Data Encryption Standard

Plaintext

Plaintext

Encrypt with
secret key

Decrypt with
secret key
Ciphertext

The data encryption standard. (a) General outline.

(b) Detail of one iteration. The circled + means exclusive OR.
17

ECE/CSC 570, Fall 2014

ECE/CSC 570, Fall 2014

18

Triple DES

AES The Advanced Encryption Standard

(a) Triple encryption using DES.

(b) Decryption.

Rules for AES proposals (1997)

Total key length = 56 + 56 = 112 bits

1.

The algorithm must be a symmetric block cipher.

2.

The full design must be public.

Key lengths of 128, 192, and 256 bits supported.

4. Both software and hardware implementations required
3.

5.

Why EDE instead of EEE?

19

ECE/CSC 570, Fall 2014

The algorithm must be public or licensed on

nondiscriminatory terms.

Winner: Rijndael (based on Galois field theory)

20

ECE/CSC 570, Fall 2014

Cipher Modes

Electronic Code Book Mode

The plaintext of a file encrypted as 16 DES blocks.

Electronic Code Book Mode

Cipher Block Chaining Mode
Cipher Feedback Mode
Stream Cipher Mode
Counter Mode
AES or DES is still mono-alphabetic substitution cipher,
i.e., same input and always same output
not good

ECE/CSC 570, Fall 2014

21

Message is broken up into consecutive 8-byte blocks

and encrypted one after another with the same key

Cipher Block Chaining Mode

Cipher Feedback Mode

Cipher block chaining.

(a) Encryption

ECE/CSC 570, Fall 2014

22

(a) Encryption.

(b) Decryption.

(b) Decryption.

IV: Initialization Vector

Same plaintext generates different ciphertext depending on where it occurs.

Byte-by-Byte encryption. No need to wait for 8 bytes to start

Require an entire 64-bit (8-byte) block to arrive before decryption can begin
23

ECE/CSC 570, Fall 2014

24

ECE/CSC 570, Fall 2014

Stream Cipher Mode

Counter Mode

A stream cipher.
(a) Encryption.

Encryption using counter mode.

(b) Decryption.

Enables random access to encrypted data via counter

no need to decrypt from the beginning

Similar to huge one-time pad keystream generated by key (can be pre-computed)

ECE/CSC 570, Fall 2014

25

Public Key Cryptography

symmetric key crypto
requires sender, receiver
knows shared secret key
Q: how to agree on key
in first place (particularly
if never met)?

ECE/CSC 570, Fall 2014

26

Public key cryptography (2)

EB Bobs public
key
DB Bobs private
key

public key cryptography

radically different
approach [DiffieHellman76, RSA78]
sender, receiver do not
share secret key

plaintext
message, P

public encryption key

known to all

encryption ciphertext
algorithm
C = EB(P)

decryption plaintext
algorithm message

private decryption key

known only to receiver

27

ECE/CSC 570, Fall 2014

28

ECE/CSC 570, Fall 2014

P = DB(EB(P))

Public key encryption algorithms

Large Prime Numbers

104729 * 95581 = ?
(Ans) 10010102549 (easy computation)

Requirements
D(E(P))=P
It is exceedingly difficult to deduce D from E

Can you efficiently factorize 10010102549 then?

What if the number is way much larger?
RSA: Rivest, Shamir, Adelson algorithm
243112609-1 : 12978189 digits: found in 2008
(Mersenne Prime Number)
ECE/CSC 570, Fall 2014

29

30

Review: Modulo operation

RSA: Choosing keys

Integer variables
Def: a=b (mod n)

1. Choose two large prime numbers p, q.

(e.g., 1024 bits each)

(a-b) is divisible by n

2. Compute n = pq, z = (p-1)(q-1)

i.e., there exists an integer k such that (a-b) = nk

3. Choose d ( with d < n) that has no common factors

with z. (d, z are relatively prime).

Properties:
a=b (mod n)

b=a (mod n)

a=b (mod n) & b=c (mod n)

4. Choose e such that ed-1 is exactly divisible by z.

(in other words: ed =1 (mod z ).

a=c (mod n)

a=b (mod n) & c=d (mod n)

a+c = b+d (mod n) & ac = bd (mod n)
a=b (mod n)
31

ECE/CSC 570, Fall 2014

Public key is (n,e). Private key is (n,d).

ap = bp (mod n)
ECE/CSC 570, Fall 2014

EB
32

ECE/CSC 570, Fall 2014

DB

RSA: Encryption, decryption

RSA: Example
p=3 and q=11, this gives us n=33 and z=20. A good value
for d is d=7 since 7 and 20 have no common factors. Now
7e =1 mod(20) and this gives us e=3.

0. Given (n, e) and (n, d ) as computed above

1. To encrypt bit pattern, P, compute
e
C = P e mod (n) (i.e., remainder when P is divided by n)
2. To decrypt received bit pattern, C, compute
P = C d mod (n) (i.e., remainder when C d is divided by n)
Magic
happens!

d
P = (P e mod n) mod n
C

ECE/CSC 570, Fall 2014

33

RSA: Why is that

d
P = (P emod n)
mod n

RSA: another important property

Useful number theory result: If p, q prime and

n = pq, then for any x and y

The following property will be very useful later:

y
y mod (p-1)(q-1)
x mod n = x
mod n

D (E (P)) = P = E (D (P))
B

(P mod n) d mod n = P ed mod n

= P

ed mod (p-1)(q-1)

1
= P mod n
(since we chose ed to be divisible by
(p-1)(q-1) with remainder 1 )

use private key

first, followed
by public key

Result is the same! Why?

= P

ECE/CSC 570, Fall 2014

use public key

first, followed
by private key

mod n

(using number theory result above)

35

ECE/CSC 570, Fall 2014

34

36

ECE/CSC 570, Fall 2014

Digital Signatures

Public Key Signature

Digital signatures using public-key cryptography.

Cryptographic technique analogous to handwritten signatures.

Requirements
The receiver can verify the claimed identity of the
sender
The sender cannot later repudiate the contents of the
message.
The receiver cannot possibly have concocted the
message himself.

37

ECE/CSC 570, Fall 2014

Bob thus verifies that:

Non-repudiation:
Alice signed P.
Bob can take P and
No one else signed P.
signature DA(P) to court and
prove that Alice signed P.
Alice signed P and not P.
38

Message Digests (MD)

Computationally expensive to
public-key-encrypt long
messages

39

Message Digest (MD) (2)

Hash function (MD) properties:

long
message
P

Goal: fixed-length, easy- tocompute digital fingerprint

Apply hash function MD to
P, get fixed size message
digest, MD(P).

ECE/CSC 570, Fall 2014

Given P, it is easy to compute MD(P)

H: Hash
Function

Given MD(P), it is effectively impossible to find P.

Given P, no one can find P such that
MD(P)=MD(P).

H(P)

A change to the input of even 1 bit produces a

very different output.

Hash function (MD)

many-to-1
produces fixed-size msg
digest (fingerprint)

ECE/CSC 570, Fall 2014

One-way
function

40

ECE/CSC 570, Fall 2014

Authentication

Digital Signature = Signed Message Digest

Bob sends digitally signed message:
large
message
P

H: Hash
function

Bobs
private
key

DB

Alice verifies signature and integrity of

digitally signed message:
encrypted
msg digest

H(P)
digital
signature
(encrypt)
encrypted
msg digest

DB(H(P))

H: Hash
function

public
key

Protocol ap1.0: Alice says I am Alice

DB(H(P))

large
message
Bobs
P

EB

I am Alice

digital
signature
(decrypt)

equal
?

ECE/CSC 570, Fall 2014

42

Goal: Bob wants Alice to prove her identity to him

Protocol ap2.0: Alice says I am Alice in an IP packet

containing her source IP address

Protocol ap1.0: Alice says I am Alice

43

ECE/CSC 570, Fall 2014

ECE/CSC 570, Fall 2014

Authentication: another try

Authentication

I am Alice

Failure scenario??

H(P)

H(P)

No secrecy here.
anyone can see Bobs message.
41

Goal: Bob wants Alice to prove her identity to him

in a network,
Bob can not see
Alice, so Trudy simply
declares
herself to be Alice

Alices
I am Alice
IP address

Failure scenario??

44

ECE/CSC 570, Fall 2014

Authentication: another try

Authentication: another try

Protocol ap2.0: Alice says I am Alice in an IP packet

containing her source IP address

Alices
IP address

45

Protocol ap3.0: Alice says I am Alice and sends her

secret password to prove it.

Alices
Alices
Im Alice
IP addr password

Trudy can create

a packet
spoofing
I am Alice
Alices address

ECE/CSC 570, Fall 2014

Alices
IP addr

46

Authentication: another try

Alices
IP addr

OK

ECE/CSC 570, Fall 2014

Protocol ap3.1: Alice says I am Alice and sends her

encrypted secret password to prove it.

Alices encrypted
Im Alice
IP addr password

playback attack: Trudy

records Alices packet
and later
plays it back to Bob

Alices
IP addr

OK

Alices
Alices
Im Alice
IP addr password

47

ECE/CSC 570, Fall 2014

Failure scenario??

Authentication: yet another try

Protocol ap3.0: Alice says I am Alice and sends her

secret password to prove it.

Alices
Alices
Im Alice
IP addr password

OK

48

ECE/CSC 570, Fall 2014

Failure scenario??

Authentication: another try

Protocol ap3.1: Alice says I am Alice and sends her
encrypted secret password to prove it.

Authentication: yet another try

Goal: avoid playback attack
Nonce: number (R) used only oncein-a-lifetime
ap4.0: to prove Alice live, Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key K

Alices encrypted
Im Alice
IP addr password
Alices
IP addr

I am Alice

record
and
playback
still works!

OK

R
KA-B(R)

Alices encrypted
Im Alice
IP addr password

Failures, drawbacks?

ECE/CSC 570, Fall 2014

49

ECE/CSC 570, Fall 2014

50

Authentication: ap5.0

ap5.0: security hole

Man (woman) in the middle attack: Trudy poses as Alice (to
Bob) and as Bob (to Alice)

ap4.0 requires shared symmetric key

Can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography

Bob computes
+ -

K A (R)

send me your public key

KA
+: public -: private
51

I am Alice

I am Alice

I am Alice
R

Alice is live, and

only Alice knows
key to encrypt
nonce, so it must
be Alice!

ECE/CSC 570, Fall 2014

K (R)
A
Send me your public key
+
K
A

KA(KA (R)) = R

and knows only Alice

could have the private
key, that encrypted R
such that
+ K (K (R)) = R
A A

K (R)
T
Send me your public key
+
K
T

Trudy gets

- +
m = K (K (m))
A A
52

+
K (m)
A

- +
m = K (K (m))
T T

+
K (m)
T

sends m to Alice encrypted

with Alices public key
ECE/CSC 570, Fall 2014

Key Distribution and Certification

ap5.0: security hole

Man (woman) in the middle attack: Trudy poses as Alice (to
Bob) and as Bob (to Alice)

Symmetric key problem:

Public key problem:

How do two entities

establish shared secret key
over network? (Theyve
never met before!)

When Alice obtains

Bobs public key (from
web site, e-mail,
diskette), how does she
know it is Bobs public
key, not Trudys?

Solution:

Difficult to detect:

trusted key distribution

center (KDC) acting as
intermediary between
entities

Bob receives everything that Alice sends, and vice

versa. (e.g., so Bob, Alice can meet one week later and
recall conversation)

Solution:
trusted certification
authority (CA)

problem is that Trudy receives all messages as well!

ECE/CSC 570, Fall 2014

53

ECE/CSC 570, Fall 2014

54

Key Distribution Center (KDC)

Key Distribution Center (KDC) (2)

Q: How does KDC allow Bob, Alice to determine shared
symmetric secret key to communicate with each other?

Alice, Bob need shared symmetric key.

KDC: server shares different secret key with each
registered user (many users)
Alice, Bob know their individual symmetric keys, KA-KDC
KB-KDC , for communicating with KDC.
KDC
KP-KDC

KB-KDC

KA-KDC
55

ECE/CSC 570, Fall 2014

KDC
generates
R1 (random
number)

KA-KDC(A,B)
Alice
knows
R1

KA-KDC KP-KDC
KX-KDC

KA-KDC(R1, KB-KDC(A,R1) )
KB-KDC(A,R1)

KY-KDC
KB-KDC

KZ-KDC

Bob knows to use

R1 to communicate
with Alice

Alice and Bob communicate: using R1 as

session key for shared symmetric encryption
56

ECE/CSC 570, Fall 2014

Certification Authorities

Certification Authorities (2)

Certification authority (CA): binds public key to particular

entity, E.

When Alice wants Bobs public key:

gets Bobs certificate (Bob or elsewhere).
apply CAs public key to Bobs certificate, get Bobs
public key

E (person, router) registers its public key with CA.

E provides proof of identity to CA.
CA creates certificate binding E to its public key.

digital
signature
(decrypt)

certificate containing Es public key digitally signed by CA

CA says this is Es public key
+

Bobs
public
+
key K B
Bobs
identifying
information
57

digital
signature
(encrypt)
CA
private K key CA

KB

KB

CA
public
key

certificate for
Bobs public key,
signed by CA

ECE/CSC 570, Fall 2014

58

+
KB

+
K CA

ECE/CSC 570, Fall 2014

Firewalls

A certificate contains:

firewall
isolates organizations internal net from larger
Internet, allowing some packets to pass,
blocking others.

Serial number (unique to issuer)

info about certificate owner, including algorithm and
key value itself (not shown)

info about
certificate
issuer
valid dates
digital
signature by
issuer

public
Internet

administered
network
firewall
59

ECE/CSC 570, Fall 2014

60

ECE/CSC 570, Fall 2014

Bobs
public
key

Stateless packet filtering

Firewalls: Why ?

Should arriving
packet be allowed
in? Departing packet
let out?

prevent denial of service (DoS) attacks:

SYN flooding: attacker establishes many bogus TCP connections,
no resources left for real connections.

prevent illegal modification/access of internal data.

e.g., attacker replaces CIAs homepage with something else

allow only authorized access to inside network (set of

authenticated users/hosts)

internal network connected to Internet via router firewall

router filters packet-by-packet (stateless), decision to
forward/drop packet based on:

three types of firewalls:

stateless packet filters

source IP address, destination IP address

TCP/UDP source and destination port numbers
ICMP message type
TCP SYN and ACK bits

stateful packet filters

application gateways

61

ECE/CSC 570, Fall 2014

Stateless packet filtering: example

Stateless packet filtering: more examples

Example 1: block incoming and outgoing datagrams with IP

protocol field = 17 and with either source or dest port = 23.
all incoming, outgoing UDP flows and telnet connections
are blocked. (TCP port 23 is for telnet; IP protocol=17 is UDP)

The first segment in every TCP connection has the ACK bit set to 0,
whereas all other segments in the connection have the ACK bit set to 1

ECE/CSC 570, Fall 2014

Firewall Setting

Policy

Example 2: Block inbound TCP segments with ACK=0.

prevents external clients from making TCP connections
with internal clients, but allows internal clients to connect
to outside.

63

ECE/CSC 570, Fall 2014

62

64

No outside Web access.

Drop all outgoing packets to any IP

address, port 80

No incoming TCP connections,

except those for institutions public
Web server only.

Drop all incoming TCP SYN packets to

any IP except 130.207.244.203, port 80

Prevent Web-radios from eating up

the available bandwidth.

Drop all incoming UDP packets - except

DNS and router broadcasts.

Prevent your network from being

used for a smurf DoS attack.

Drop all ICMP packets going to a

broadcast address (eg
130.207.255.255).

Prevent your network from being

tracerouted

Drop all outgoing ICMP TTL expired

traffic

ECE/CSC 570, Fall 2014

Access Control Lists

Stateful packet filtering

ACL: table of rules, applied top to bottom to incoming

stateless packet filter: heavy handed tool

packets: (action, condition) pairs

action
allow

source
address
222.22/16

dest
address
outside of
222.22/16

allow

outside of
222.22/16

222.22/16

allow

222.22/16

allow

outside of
222.22/16

222.22/16

deny

all

all

outside of
222.22/16

protocol
TCP

admits packets that make no sense, e.g., dest port = 80, ACK bit
set, even though no TCP connection established:
source
port

dest
port

> 1023

flag
bit

action

any

80

allow

TCP

80

> 1023

ACK

UDP

> 1023

53

---

UDP

53

> 1023

----

all

all

all

all

allow

source

dest
address

outside of

outside of
222.22/16
222.22/16

222.22/16
allow
allow

222.22/16
outside of

outside of
222.22/16
222.22/16

222.22/16
deny

67

all

dest

flag

port

port

bit

80

> 1023

ACK

TCP

timeout inactive connections at firewall: no longer admit packets

address
222.22/16

222.22/16

source

track connection setup (SYN), teardown (FIN): can determine

whether incoming, outgoing packets makes sense

66

all

source

dest

flag

port

port

bit

TCP

> 1023

80

TCP

80

> 1023

ACK

UDP

> 1023

53

---

UDP

53

> 1023

----

all

all

all

all

proto

ECE/CSC 570, Fall 2014

ECE/CSC 570, Fall 2014

Application Gateway
Application gateway look beyond the IP/TCP/UDP headers and make
policy decisions based on application data.

ACL augmented to indicate need to check connection

state table before admitting packet

allow

outside of

protocol

stateful packet filter: track status of every TCP connection

Stateful packet filtering

action

dest
address

222.22/16

ECE/CSC 570, Fall 2014

65

source
address

check
connection

any

A firewall consisting of two packet filters and an application gateway.

68

ECE/CSC 570, Fall 2014

Application Gateways (2)

Filters packets on
application data as well as
on IP/TCP/UDP fields.

host-to-gateway
telnet session

Example: allow selected

internal users to telnet
outside.

application
gateway

Limitations of firewalls and gateways

gateway-to-remote
host telnet session

IP spoofing: router cant

know if data really
comes from the claimed
source

router and filter

if multiple apps. need

special treatment, each
has own app. gateway.
client software must know
how to contact gateway.

1. Require all telnet users to telnet through gateway.

2. For authorized users, gateway sets up telnet connection to dest host.
Gateway relays data between 2 connections

ECE/CSC 570, Fall 2014

tradeoff: degree of
communication with
outside world, level of
security
many highly protected
sites still suffer from
attacks.

e.g., must set IP address of

proxy in Web browser

3. Router filter blocks all telnet connections not originating from

gateway.

69

filters often use all or

nothing policy for UDP.

ECE/CSC 570, Fall 2014

70

Virtual Private Networks (VPN)

Other Issues
Wireless Security

(a) A leased-line private network.

Wi-Fi: Free-riders heaven

(b) A virtual private network.

802.11 Security
WEP (Wired Equivalent Privacy) Protocol
IEEE announced that 802.11 WEB1.0 was completely
broken (Sept. 7, 2001)

Social Issues

71

ECE/CSC 570, Fall 2014

72

ECE/CSC 570, Fall 2014