Chapter 8 – Network Security

Two main topics Cryptographic algorithms and mechanisms Firewalls

Chapter may be hard to understand if you don’t have some background. The topics are very extensive and 50 pages of text can’t cover much at all.

Encryption

Two main divisions: symmetric, same key both encodes and decodes (examples DES, Blowfish, RC2, RC4 etc.), asymmetric, different keys, one for encoding and one for decoding (example RSA, DH)

Symmetric, usually much faster to compute, but key distribution is harder

Asymmetric, much slower to compute, but key distribution is easier

Problems requiring Encryption (in plain English)

You don’t want your data intercepted in-transit by an unintended recipient

You want to be sure that you are communicating with the person or website that you intend

You want to be able to prove that you are who you say you are

Secret keys – symmetric encryption

Simple enough in concept – encrypt your message with a secret key and send it to a recipient – see next diagram

Read over the details of the example method given in the text (DES), but we will focus more on RSA

Plaintext

Encrypt withsecret key

Ciphertext

Plaintext

Decrypt withsecret key

Public Key or Asymmetric Algorithms

Usually based on difficult-to-compute mathematical algorithms like factoring large near-prime numbers or calculating discrete logs

Two keys – private key and public key One encrypts The other decrypts Only one copy of private key – owner Can be many copies of public key

Public Key Usage

Look over the accompanying slides (handout) on the usage of Public Key cryptography

Factoid: RSA is 100x to 10,000x times slower to compute than a secret key method like DES or Blowfish

Therefore large amounts of encryption are not usually done with a public key method – instead secret (symmetric) keys are passed with public key encryption – see slides

Terminology

Key – a string of characters used to encrypt or decrypt a message

Plain text – the original message Cipher text – the encrypted message Public key – the part of a (public,private) key

pair that is distributed to people whom you want to send encrypted messages to

Private key – the part that you keep to yourself to encrypt and decrypt with

How Public and Private Keys Work

Plain text encrypted by a private key gives cipher text that can be decrypted (only) by the public key

Conversely, plain text encrypted by the public key gives text that can be decrypted (only) by the private key

Note: plain text encrypted by a public key can not be decrypted by a second use of the public key (same for the private key)

How it Works (continued)

Note: if you want to keep your data secret it does not work to encrypt data with your private key and send it off to be decrypted with your public key because your public key (being public!) may be in other people’s hands other than your intended recipient

Therefore both sides need a separate (private, public) key pair (see the diagrams in the handout)

Caveat: if you want to prove that you are who you say you are then encrypting with your private key is useful – since only you posses it!

Plaintext

Encrypt withpublic key

Ciphertext

Plaintext

Decrypt withprivate key

Security

Cryptographyalgorithms

Publickey

(e.g., RSA)

Secretkey

(e.g., DES)

Messagedigest

(e.g., MD5)

Securityservices

AuthenticationPrivacy Messageintegrity

Security Mechanisms

Authentication, trusted third party, digital signatures, certificates are all mechanisms based on various uses of encryption to handle those problems stated earlier in plain English

The next diagrams show graphically some of the handshaking that needs to go on

Client Server

ClientId, E(x, CHK)

E(y + 1, CHK)

E(SK, SHK)

E(x + 1, SHK), E(y, SHK)

AS B

E((T, L, K, B), KA ),

E((A, T), K ),

E((T, L, K, A), KB )

A, B

E(T + 1, K)

E((T, L, K, A), KB )

A B

E(x, PublicB)

x

Certificates

Just a special type of digitally signed document

In plain English it says: “I certify that the public key in this document belongs to the entity named in the document, signed X.”

X would normally be a CA or Certification Authority – an administrative entity that is in the business of issuing certificates

“Chains of Trust”

Read over carefully the basic ideas behind the tree-structured certification authority given on page 592 and in figure 8.12

This whole issue is fraught with complications and standards – just the basic idea will suffice for us for this course

User User User

User User User User User

CA CA

CA

CA CA CA

PCA1 PCA2

IPRA

PCA3

CA

CA

IPRA = Internet PolicyRegistration Authority (root)

PCAn = policy certification authorityCA =certification authority

Example Systems

Privacy Enhanced Mail (PEM) Read over the basic idea on page 595 and

study the following figures

Sender identity and messageintegrity confirmed

if checksums match

Calculate MD5 checksum onreceived message and compare

against received value

Decrypt signed checksumwith sender’ s public key

Calculate MD5 checksumover message contents

Sign checksum using RSAwith sender’ s private key

Transmitted message

Decrypt message usingDES with secret key k

Decrypt E(k ) using RSA withmy private key -> k

Convert ASCII message

Encrypt k using RSA withrecipient’ s public key

Encode message + E(k )in ASCII for transmission

Encrypt message usingDES with secret key k

Create a random secret key k Original message

Transmitted message

Transport Layer Security (TLS)

SSL, HTTPS are two well known examples

Application (e.g., HTTP)

Secure transport layer

TCP

IP

Subnet

Client Server

Hello

[Certificate] Keys[Cert. Verify] Finished

Data

Hello [Certificate, Keys,

Cert. Request] HelloDone

Finished

Firewalls

Basic Functions Packet Filtering (see example on handouts) Network Address Translation (NAT) Application Proxy Monitoring and Logging

Firewalls – Other functions

Firewalls can sometimes do: Data Caching Content Filtering Intrusion Detection Load Balancing

Rest of the Internet Local siteFirewall

Proxy-Based Firewalls

A big topic that is only briefly touched upon in this text book

Company netFirewall Webserver

Randomexternal

user

Remotecompany

user

Internet

Externalclient

External HTTP/TCP connection

Proxy

Firewall

Internal HTTP/TCP connection

Localserver

Outside world R1 R2net 1 net 2