1 some backgrounds on network security rocky k. c. chang 12 february 2003
DESCRIPTION
3 Types of attacks Passive attacks (eavesdropping), e.g., –ciphertext-only attacks –known-plaintext attacks –chosen-plaintext attacks Active attacks, e.g., –pretend to be someone else –introduce new messages in the protocol –delete existing messages –substituting one message for another –replay old messagesTRANSCRIPT
1
Some Backgrounds onNetwork Security
Rocky K. C. Chang12 February 2003
2
Purposes of network security• Four main purposes (or services):
– Secrecy (or confidentiality): Prevent others from reading information shared between two participants.
– Authentication: Verifying someone’s or something’s identity.– Message integrity: Assure that the message received has not
be altered since it was generated by a legitimate source.– Nonrepudiation: A sender should not be able to falsely deny
later that he sent a message.• Two approaches:
– Secrecy of the cryptographic algorithm (restricted algorithm)– The cryptographic algorithm is not a secret, but the key is.
3
Types of attacks
• Passive attacks (eavesdropping), e.g., – ciphertext-only attacks– known-plaintext attacks– chosen-plaintext attacks
• Active attacks, e.g.,– pretend to be someone else– introduce new messages in the protocol– delete existing messages– substituting one message for another– replay old messages
4
Scope of consideration• Scope:
– Concern mainly communication between two parties (group communication security will be discussed later).
– Concern attacks against protocols, not those against cryptographic algorithms or cryptographic techniques used to implement the algorithms.
• Other network security issues– Infrastructure security, i.e. attacks on routers, DNS root
servers, etc.– Worms and viruses– Distributed DDoS attacks (DoS attacks will be considered
though)– System security
5
Three cryptographic functions
• Hash functions: require 0 key• Secret key functions: require 1 key• Public key functions: require 2 keys
Secret keyfunctions
Public keyfunctions
Hashfunctions
Secrecyservice
Authenticationservice
Messageintegrity service
Nonrepudiationservice
6
Secret key (symmetric) cryptography• Given:
– Alice and Bob agree on a secret key cryptosystem.– Alice and Bob agree on a key (secret).
• Encryption and decryption using the key.– M --> EK(M) --> DK(EK(M)) --> M
• Problems:– Keys must be distributed in secret.– Compromising keys means compromising all aspects of
security.– The number of keys is not scalable to the user population
size.
7
Secret key cryptography algorithms• Data Encryption Standard (DES), International Data Encryption
Algorithm (IDEA), and Advanced Encryption Standard (AES)• Example: an 64-bit DES
– There is no mathematical proof that DES is secure.– Two techniques used: confusion and diffusion.– The only approach is to search the entire key space.
• When more than 64 bits are required, use a cipher block chaining (CBC).– The ciphertext for block i is XORed with the plaintext for block i+1
before running it through DES.– An initialization vector (IV) is used in lieu of the nonexisting block 0.– The IV is randomly generated by a sender and it is sent along with the
encrypted message.
• Triple-DES, i.e., encrypt the data three times.
8
DES algorithm
Initial permutation
Round 1
Round 2
Round 16
56-bitkey
Final permutation
…
9
Cipher block chaining
Block1
IV
DES
Cipher1
Block2
DES
Block3
DES
Block4
DES
+
Cipher2 Cipher3 Cipher4
+++
10
Security uses of secret key cryptography
• Secrecy, authentication, and message integrity services• Assumption: both client and
server already share a secret key.
• Approach: – Each side generate a random
number encrypted with the secret key.
– See whether the other side can decrypt it.
• Successful if CHK = SHK (client and server handshaking keys)
• SK: Session key
Client Server
ClientId, E(x, CHK)
E(y + 1, CHK)
E(SK, SHK)
E(x + 1, SHK), E(y, SHK)
11
Secret key based authentication
• This approach is based on a trusted third party (authenti-cation server), e.g., Kerberos protocol.
• Assumptions: A shares a secret key with S, and so is B with S.
• Notations in the messages:– T: Timestamp– L: Lifetime– K: Session key for A and B– KA, KB: A’s secret key shared with
S and B’s secret key shared with S, respectively.
– A, B: The participants’ identities
AS B
E((T, L, K, B), KA),E((A, T), K),
E((T, L, K, A), KB)
A, B
E(T + 1, K)
E((T, L, K, A), KB)
12
Secret key based message integrity• Produce a small, fixed-sized “checksum” based on the
message under protection.– This cryptographic checksum is referred to as message
integrity code (MIC) or message authentication code (MAC).
• E.g., apply the DES with CBC to the message, and then to use the CBC residue as the message integrity code (MIC).– The residue is the last block of the CBC output.– The plaintext message plus the MIC would be sent to the
receiver.– The receiver needs to reproduce the “checksum” and
compares it with the MIC.
13
Hash functions• A hash, or message digest, is a one-way function that
produces a short, fixed-sized output.• Properties:
– One-way functions are relatively easy to compute, i.e., given x and compute h(x).
– However, given h(x), it is significantly harder to compute x.– It is computationally infeasible to find two inputs that hash
to the same value.• Provide mainly message integrity service, and help in
generating digital signatures.
14
Hash algorithms• Message Digest (MD-n, n = 1, …, 5), and Secure Hash
Algorithm (SHA-1)
Transform
Initial “ digest”(constant)
Message (padded)
Transform
Transform
128-bit Message digest
512 bits 512 bits 512 bits
…
…
15
Keyed message integrity protocols
• Just hash a message under protection is inadequate.• Message integrity protocols can be based on secret key
encryption. – Assume that Alice and Bob share a secret key k. – Alice sends M + MD5(M + k), where + refers to the
concatenation of two messages.– Bob applies MD5 to M + k, and compares it with the MIC.
• Message integrity protocols can be based on public key encryption. – Alice sends M + MD5(M + k) + EPri(A)(k), where k is a
random number picked by Alice.– Bob recovers k by DPub(A)(EPri(A)(k)).
16
Public key (asymmetric) cryptography
• Given:– Alice and Bob agree on a public key cryptosystem.– Alice owns a pair of public key and private key, and Bob
knows Alice’s public key, which is not a secret.• Encryption using the public key and decryption using
the private key. – Bob sends a message intended only for Alice to see.– M --> EPub(A)(M) --> DPri(A)(EPub(A)(M)) --> M.
• Problems:– Public-key algorithms are slow. Symmetric algorithms are at
least 1000 times faster.– Vulnerable to chosen-plaintext attacks.
17
Public key cryptography algorithms
• RSA (Rivest, Shamir, And Aldeman), Elliptic Curve Cryptography (ECC), ElGamal (ElG), Digital Signature Standard (DSS), Diffie-Hellman (DH)– RSA and ECC do encryption and digital signatures– ElG and DSS do digital signatures– DH allows an establishment of a shared secret.
• It is computationally hard to deduce the private key from the public key.– For example, the choice of the public and private keys in
RSA is based on a multiplication of two large prime numbers.
18
Public key based authentication• A picks a random number and encrypts it with B’s
public key.• Unlike the secret key approach, Bob only needs to
remember its own private key for authentication.• Moreover, Alice does not need to keep any secret in
order to verify Bob.A B
E (x , Public B )
x
19
Digital signatures
• Digital signatures, similar to handwritten signatures, are used as a proof of authorship.
• A digital signature is a special case of an MIC, where the code can only be generated by the authorized participant.
• The digital signatures must be – verifiable, – nonforgeable, – unalterable, – not reusable, and – nonrepudiable.
20
Public key based digital signatures
• Private key algorithms cannot achieve the nonrepudiable objective.
• To digitally sign a document using RSA, a sender uses its private key to produce the signature, and the receiver uses the public key to verify it.– In RSA, both the private key and public key can be used
for encryption (not with DSS).– Alice encrypts M using its private key: EPri(A)(M).
– Alice sends M and EPri(A)(M) to Bob.
– Bob decrypts M using Alice’s public key, DPub(A)(EPri(A)
(M)), and compares the result with M.
21
RSA digital signatures
• Verifiable (use Alice’s public key)• Nonforgeable (only Alice has the private key)• Unalterable (do not produce the same document)• Not reusable (pertain to that document), and• Nonrepudiable
22
RSA digital signatures with MD5• In practice, public key algorithms are too slow to sign
long documents, and the signature is also too long.• Instead of signing the whole document, a sender signs
the checksum produced by a hash function, such as MD5.– Alice signs the hash value of the document and send M +
EPri(A)(MD5(M)).– Bob computes the hash by running MD5(M).– Bob decrypts EPri(A)(MD5(M)).
– Bob compares MD5(M) and DPub(A)(EPri(A)(MD5(M))).
23
Digital signatures with encryption• The security of encryption can be combined with the
authenticity of digital signatures.– Alice signs a message M and sends SA(M), where the
signing can be based on any method discussed before.– Alice encrypts the signed message with Bob’s public key:
EPub(B)(SA(M)).
– Bob decrypts the received message: DPri(B)(EPub(B)(SA(M))).
– Bob verifies the signed message SA(M).
• Signing before encrypting is a prudent practice.– You know what you are signing.– Signatures cannot be removed from an encrypted message.
24
Remaining issues• For the private key approach, how does a pair of
participants generates and manages their shared secret key?– Use RSA key exchange with digital signatures.– Diffie-Hellman key exchange
• For the public key approach, how can one obtain another’s true public key or how can one reliably advertise one’s public key to others?– Digital certificates– Certification authority (a trusted third party approach)
25
Internet security• IP layer: IP security (IPSec)---Encapsulating Security
Payload (ESP) and Authentication Header (AH)– AH mainly provides access control, connectionless message
integrity, and anti-replay protection.– ESP, in addition to the services provided by AH, provides
also secrecy.• Transport layer: Secure Socket Layer (SSL) and
Transport Layer Security (TLS)– Provide secrecy and message integrity between two
communicating applications.– This is a generic security protocol supporting any
applications, for example, HTTP/TLS/TCP.
26
Internet security• Application-specific:
– SET for payment-card transactions– Privacy Enhanced Mail (PEM) and Pretty Good Privacy
(PGP) for email security– Secure HTTP (S-HTTP) for WWW (RFC 2660)– DNSSEC for DNS
• Others:– Multicast group security– Multimedia security– Mobile and wireless network security– Enterprise security (virtual private network)– Remote access security
27
Acknowledgments• This set of notes is based on
– C. Kaufman, R. Perlman, and M. Speciner, Network Security: Private Communication in Public World, Second Edition, Prentice Hall PTR, 2002.
– L. Peterson and B. Davie, Computer Networks: A Systems Approach, Morgan Kaufmann, 2000.
– B. Schneier. Applied Cryptography, Second Edition, Wiley, 1996.