0% found this document useful (0 votes)
32 views39 pages

Chapter - 8 Network Security

The document discusses network security and cryptography. It introduces network security principles like confidentiality, authentication, and message integrity. It describes symmetric cryptography which uses a shared secret key for encryption and decryption, and asymmetric cryptography which uses public/private key pairs. Symmetric cryptography is faster but has key management issues, while asymmetric cryptography solves the key distribution problem but is slower. Common cryptographic algorithms for both symmetric and asymmetric cryptography are also introduced.

Uploaded by

Nasir Ali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
32 views39 pages

Chapter - 8 Network Security

The document discusses network security and cryptography. It introduces network security principles like confidentiality, authentication, and message integrity. It describes symmetric cryptography which uses a shared secret key for encryption and decryption, and asymmetric cryptography which uses public/private key pairs. Symmetric cryptography is faster but has key management issues, while asymmetric cryptography solves the key distribution problem but is slower. Common cryptographic algorithms for both symmetric and asymmetric cryptography are also introduced.

Uploaded by

Nasir Ali
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 39

Network Security

 understand principles of network security:


 cryptography and its many uses beyond “ confidentiality”
 authentication
 message integrity

Network Security 8-1


Chapter 8 roadmap
8.1 What is network security?
8.2 Principles of cryptography
8.3 Message integrity, authentication

Network Security 8-2


What is network security?
confidentiality: only sender, intended receiver should
“ understand” message contents
 sender encrypts message
 receiver decrypts message
authentication: sender, receiver want to confirm identity of
each other
message integrity: sender, receiver want to ensure message
not altered (in transit, or afterwards) without detection
access and availability: services must be accessible and
available to users

Network Security 8-3


Friends and enemies: Alice, Bob, Trudy
 well-known in network security world
 Bob, Alice (lovers!) want to communicate “ securely”
 Trudy (intruder) may intercept, delete, add messages

Alice Bob
channel data, control
messages

data secure secure data


sender s
receiver

Trudy

Network Security 8-4


Who might Bob, Alice be?
 … well, real-life Bobs and Alices!
 Web browser/server for electronic transactions
(e.g., on-line purchases)
 on-line banking client/server
 DNS servers
 routers exchanging routing table updates
 other examples?

Network Security 8-5


There are bad guys (and girls) out there!
Q: What can a “ bad guy” do?
A: A lot! See section 1.6
 eavesdrop: intercept messages(to listen to someone's
private conversation without them knowing)
 actively insert messages into connection
 impersonation: can fake (spoof) source address in
packet (or any field in packet)
 hijacking: “ take over” ongoing connection by
removing sender or receiver, inserting himself in place
 denial of service: prevent service from being used by
others (e.g., by overloading resources)

Network Security 8-6


Chapter 8 roadmap
8.1 What is network security?
8.2 Principles of cryptography
8.3 Message integrity, authentication
8.4 Securing e-mail
8.5 Securing TCP connections: SSL
8.6 Network layer security: IPsec
8.7 Securing wireless LANs
8.8 Operational security: firewalls and IDS

Network Security 8-7


The language of cryptography

Alice’s Bob’s
K encryption K decryption
A
key Bkey

plaintext encryption ciphertext decryption plaintext


algorithm algorithm

m plaintext message
KA(m) ciphertext, encrypted with key KA
m = KB(KA(m))

Network Security 8-8


Network Security 8-9
Cryptography: Basic Terminology
 Plaintext (or cleartext)
 The message.
 Denoted by M or P.
 Encryption (encipher)
 Encoding of message.
 Denoted by E.
 Ciphertext
 Encrypted message.
 Denoted by C.
 Decryption (decipher)
 decoding of ciphertext
 denoted by D.
EMTM 553
10 4/20/01 8-10
Encryption and Decryption

M C M
E D

The following identity must hold true:


D(C) = M, where C = E(M)

EMTM 553
11 4/20/01 8-11
Key Based
Encryption/Decryption
K1 K2

M C M
E D

Symmetric Case: both keys are the same or


derivable from each other.
Asymmetric Case: keys are different and not
derivable from each other.

EMTM 553
12 4/20/01 8-12
1. Secrete Key Cryptography
K K

M C M
S E D R

K is the secret key shared by both the


sender (S) and receiver (R).

EMTM 553
13 4/20/01 8-13
Secrete Key Cryptography
 Also called symmetric or single-key algorithms.
 The encryption and the decryption key are the same.
 Techniques based on a combination of substitution
and permutation.
 Stream ciphers: operate on single bit or byte.
 Block ciphers: operate on blocks (typically 64
bits)
 Advantage: simple, fast.
 Disadvantage: key exchange, key management.
 Examples: DES,RC4, IDEA, Blowfish, AES, etc.
EMTM 553
14 4/20/01 8-14
Symmetric Key - Issues
Key management, keys required = (p*(p-1))/2 or:

EMTM 553
15 4/20/01 8-15
Secrete Key Assurances
 Confidentiality
 is assurance that only owners of a shared secrete key can decrypt a
message that has been encrypted with the shared secrete key
 Authentication
 is assurance of the identify of the person at the other end of the line (use
challenge and response protocols)
 Integrity
 is assurance that a message has not been changed during transit and is also
called message authentication (use message fingerprint)
 Non-repudiation
 is assurance that the sender cannot deny a file was sent. This cannot be
done with secrete key alone (need trusted third party or public key
technology)

EMTM 553
16 4/20/01 8-16
2. Public Key Cryptography
KR(pub) KR(pri)

M C M
S E D R

KR(pub) is Receiver’s public key and KR(pri) is


Receiver’s private key.

EMTM 553
17 4/20/01 8-17
Problem Statement
 Suppose Alice has an channel for communicating
with Bob.
 Alice and Bob wish to use this channel to
established a shared secret.
 However, Eve is able to learn everything sent over
the channel.
 If Alice and Bob have no other channel to use, can
they establish a shared secret that Eve does not
know?

EMTM 553
18 4/20/01 8-18
General Strategy
 A public key is used to encrypt a message that can be
decrypted only by the matching private key.
 Bob can use Alice’s public key to encrypt messages. Only
Alice can decrypt the message.
 Similarly, Alice can also use Bob’s public key.

19 4/20/01 8-19
Public Key Cryptography
symmetric key crypto public key crypto
 requires sender, receiver  radically different
know shared secret key approach [Diffie-
 Q: how to agree on key in Hellman76, RSA78]
first place (particularly if  sender, receiver do not
never “ met” )? share secret key
 public encryption key
known to all
 private decryption key
known only to receiver

Network Security 8-20


Public key cryptography
+
KB Bob’s public
key
- Bob’s private
K
B key

plaintext encryption ciphertext decryption plaintext


message, m algorithm + algorithm message
K (m) - +
B m = KB (K (m))
B

Network Security 8-21


Asymmetric Algorithms
 Also called public-key algorithms.
 Encryption key is different from decryption key.
 Furthermore, one cannot be calculated from other.
 Encryption key is often called the public key and decryption key is
often called the private key.
 Advantages: better key management.
 Disadvantages: slower, more complex.
 Both techniques are complementary.
 Examples: RSA, Diffie-Hellman, El Gamal, etc.

EMTM 553
22 4/20/01 8-22
RSA Public Keys
 Named for Ron Rivest, Adi Shamir, and Len
Adleman, published in 1978.
 Most widely known and used public key system.
 No shared secret is required.
 Based on some number-theoretic facts/results.
 Strength lies in the difficulty of determining the
prime factors of a (large) number.
 Hardware improvements will not weaken RSA as
long as appropriate key lengths are used.
EMTM 553
23 4/20/01 8-23
RSA: another important property
The following property will be very useful later:

- + + -
K (K (m)) = m = K (K (m))
B B B B

use public key use private key


first, followed by first, followed by
private key public key

result is the same!

Network Security 8-24


Authentication
Goal: Bob wants Alice to “ prove” her identity to him
Protocol ap1.0: Alice says “ I am Alice”

“I am Alice”
Failure scenario??

Network Security 8-25


Authentication
Goal: Bob wants Alice to “ prove” her identity to him
Protocol ap1.0: Alice says “ I am Alice”

in a network,
Bob can not “see” Alice,
so Trudy simply declares
“I am Alice” herself to be Alice

Network Security 8-26


Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address

Alice’s
IP address
“I am Alice”

Failure scenario??

Network Security 8-27


Authentication: another try
Protocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address

Trudy can create


a packet “spoofing”
Alice’s
Alice’s address
IP address
“I am Alice”

Network Security 8-28


Authentication: another try
Protocol ap3.0: Alice says “ I am Alice” and sends her
secret password to “ prove” it.

Alice’s Alice’s
“I’m Alice”
IP addr password

Alice’s Failure scenario??


OK
IP addr

Network Security 8-29


Authentication: another try
Protocol ap3.0: Alice says “ I am Alice” and sends her
secret password to “ prove” it.

Alice’s Alice’s
“I’m Alice”
IP addr password
playback attack: Trudy
Alice’s records Alice’s packet
OK
IP addr and later
plays it back to Bob

Alice’s Alice’s
“I’m Alice”
IP addr password

Network Security 8-30


Authentication: yet another try
Protocol ap3.1: Alice says “ I am Alice” and sends her
encrypted secret password to “ prove” it.

Alice’s encrypted
“I’m Alice”
IP addr password

Alice’s Failure scenario??


OK
IP addr

Network Security 8-31


Authentication: yet another try
Protocol ap3.1: Alice says “ I am Alice” and sends her
encrypted secret password to “ prove” it.

Alice’s encrypted
“I’m Alice” record
IP addr password
and
Alice’s
OK playback
IP addr
still works!

Alice’s encrypted
“I’m Alice”
IP addr password

Network Security 8-32


Authentication: yet another try
Goal: avoid playback attack
nonce: number (R) used only once-in-a-lifetime
ap4.0: to prove Alice “ live” , Bob sends Alice nonce, R.
Alice
must return R, encrypted with shared secret key
“I am Alice”

R
KA-B(R) Alice is live, and
only Alice knows
key to encrypt
nonce, so it must
Failures, drawbacks? be Alice!
Network Security 8-33
Authentication: ap5.0
ap4.0 requires shared symmetric key
 can we authenticate using public key techniques?

ap5.0: use nonce, public key cryptography

“I am Alice”
Bob computes
R + -
- K A(K A(R)) = R
K A (R)
and knows only Alice
“send me your public key” could have the private
+ key, that encrypted R
KA such that
+ -
K (K (R)) = R
A A

Network Security 8-34


ap5.0: security hole
man (or woman) in the middle attack: Trudy poses as Alice
(to Bob) and as Bob (to Alice)

I am Alice I am Alice
R -
K (R)
T
R - Send me your public key
K (R) +
A K
T
Send me your public key
+
K
A +
K (m)
Trudy gets T
- +
+ m = K (K (m))
K (m) T T
A sends m to Alice
- +
m = K (K (m)) encrypted with
A A Alice’s public key
Network Security 8-35
ap5.0: security hole
man (or woman) in the middle attack: Trudy poses as Alice
(to Bob) and as Bob (to Alice)

difficult to detect:
Bob receives everything that Alice sends, and vice versa.
(e.g., so Bob, Alice can meet one week later and recall
conversation!)
problem is that Trudy receives all messages as well!

Network Security 8-36


Digital signatures
cryptographic technique analogous to hand-written
signatures:
 sender (Bob) digitally signs document, establishing
he is document owner/creator.
 verifiable, nonforgeable: recipient (Alice) can prove
to someone that Bob, and no one else (including
Alice), must have signed document

Network Security 8-37


Digital signatures
simple digital signature for message m:
-
 Bob signs m by encrypting with his private key KB,
-
creating “ signed” message, KB(m)

- Bob’s private -
Bob’s message, m KB m,K B(m)
key
Dear Alice
Bob’s message,
Oh, how I have missed Public key m, signed
you. I think of you all the
time! …(blah blah blah) encryption (encrypted) with
algorithm his private key
Bob

Network Security 8-38


Digital signatures
-
 suppose Alice receives msg m, with signature: m, KB(m)
 Alice verifies
-
m signed by Bob by applying Bob’s public key
+ + -
KB to KB(m) then checks KB(KB(m) ) = m.
+ -
 If KB(KB(m) ) = m, whoever signed m must have used Bob’s
private key.
Alice thus verifies that:
 Bob signed m
 no one else signed m
 Bob signed m and not m‘
non-repudiation:
 Alice can take m, and signature K B(m) to court and prove that
Bob signed m -

Network Security 8-39

You might also like