chapter 8 – network security
DESCRIPTION
Chapter 8 – Network Security. Two main topics Cryptographic algorithms and mechanisms Firewalls Chapter may be hard to understand if you don’t have some background. The topics are very extensive and 50 pages of text can’t cover much at all. Encryption. - PowerPoint PPT PresentationTRANSCRIPT
Chapter 8 – Network Security
Two main topics Cryptographic algorithms and mechanisms Firewalls
Chapter may be hard to understand if you don’t have some background. The topics are very extensive and 50 pages of text can’t cover much at all.
Encryption
Two main divisions: symmetric, same key both encodes and decodes (examples DES, Blowfish, RC2, RC4 etc.), asymmetric, different keys, one for encoding and one for decoding (example RSA, DH)
Symmetric, usually much faster to compute, but key distribution is harder
Asymmetric, much slower to compute, but key distribution is easier
Problems requiring Encryption (in plain English)
You don’t want your data intercepted in-transit by an unintended recipient
You want to be sure that you are communicating with the person or website that you intend
You want to be able to prove that you are who you say you are
Secret keys – symmetric encryption
Simple enough in concept – encrypt your message with a secret key and send it to a recipient – see next diagram
Read over the details of the example method given in the text (DES), but we will focus more on RSA
Plaintext
Encrypt withsecret key
Ciphertext
Plaintext
Decrypt withsecret key
Public Key or Asymmetric Algorithms
Usually based on difficult-to-compute mathematical algorithms like factoring large near-prime numbers or calculating discrete logs
Two keys – private key and public key One encrypts The other decrypts Only one copy of private key – owner Can be many copies of public key
Public Key Usage
Look over the accompanying slides (handout) on the usage of Public Key cryptography
Factoid: RSA is 100x to 10,000x times slower to compute than a secret key method like DES or Blowfish
Therefore large amounts of encryption are not usually done with a public key method – instead secret (symmetric) keys are passed with public key encryption – see slides
Terminology
Key – a string of characters used to encrypt or decrypt a message
Plain text – the original message Cipher text – the encrypted message Public key – the part of a (public,private) key
pair that is distributed to people whom you want to send encrypted messages to
Private key – the part that you keep to yourself to encrypt and decrypt with
How Public and Private Keys Work
Plain text encrypted by a private key gives cipher text that can be decrypted (only) by the public key
Conversely, plain text encrypted by the public key gives text that can be decrypted (only) by the private key
Note: plain text encrypted by a public key can not be decrypted by a second use of the public key (same for the private key)
How it Works (continued)
Note: if you want to keep your data secret it does not work to encrypt data with your private key and send it off to be decrypted with your public key because your public key (being public!) may be in other people’s hands other than your intended recipient
Therefore both sides need a separate (private, public) key pair (see the diagrams in the handout)
Caveat: if you want to prove that you are who you say you are then encrypting with your private key is useful – since only you posses it!
Plaintext
Encrypt withpublic key
Ciphertext
Plaintext
Decrypt withprivate key
Security
Cryptographyalgorithms
Publickey
(e.g., RSA)
Secretkey
(e.g., DES)
Messagedigest
(e.g., MD5)
Securityservices
AuthenticationPrivacy Messageintegrity
Security Mechanisms
Authentication, trusted third party, digital signatures, certificates are all mechanisms based on various uses of encryption to handle those problems stated earlier in plain English
The next diagrams show graphically some of the handshaking that needs to go on
Client Server
ClientId, E(x, CHK)
E(y + 1, CHK)
E(SK, SHK)
E(x + 1, SHK), E(y, SHK)
AS B
E((T, L, K, B), KA ),
E((A, T), K ),
E((T, L, K, A), KB )
A, B
E(T + 1, K)
E((T, L, K, A), KB )
A B
E(x, PublicB)
x
Certificates
Just a special type of digitally signed document
In plain English it says: “I certify that the public key in this document belongs to the entity named in the document, signed X.”
X would normally be a CA or Certification Authority – an administrative entity that is in the business of issuing certificates
“Chains of Trust”
Read over carefully the basic ideas behind the tree-structured certification authority given on page 592 and in figure 8.12
This whole issue is fraught with complications and standards – just the basic idea will suffice for us for this course
User User User
User User User User User
CA CA
CA
CA CA CA
PCA1 PCA2
IPRA
PCA3
CA
CA
IPRA = Internet PolicyRegistration Authority (root)
PCAn = policy certification authorityCA =certification authority
Example Systems
Privacy Enhanced Mail (PEM) Read over the basic idea on page 595 and
study the following figures
Sender identity and messageintegrity confirmed
if checksums match
Calculate MD5 checksum onreceived message and compare
against received value
Decrypt signed checksumwith sender’ s public key
Calculate MD5 checksumover message contents
Sign checksum using RSAwith sender’ s private key
Transmitted message
Decrypt message usingDES with secret key k
Decrypt E(k ) using RSA withmy private key -> k
Convert ASCII message
Encrypt k using RSA withrecipient’ s public key
Encode message + E(k )in ASCII for transmission
Encrypt message usingDES with secret key k
Create a random secret key k Original message
Transmitted message
Transport Layer Security (TLS)
SSL, HTTPS are two well known examples
Application (e.g., HTTP)
Secure transport layer
TCP
IP
Subnet
Client Server
Hello
[Certificate] Keys[Cert. Verify] Finished
Data
Hello [Certificate, Keys,
Cert. Request] HelloDone
Finished
Firewalls
Basic Functions Packet Filtering (see example on handouts) Network Address Translation (NAT) Application Proxy Monitoring and Logging
Firewalls – Other functions
Firewalls can sometimes do: Data Caching Content Filtering Intrusion Detection Load Balancing
Rest of the Internet Local siteFirewall
Proxy-Based Firewalls
A big topic that is only briefly touched upon in this text book
Company netFirewall Webserver
Randomexternal
user
Remotecompany
user
Internet
Externalclient
External HTTP/TCP connection
Proxy
Firewall
Internal HTTP/TCP connection
Localserver
Outside world R1 R2net 1 net 2