network security
DESCRIPTION
PresentationTRANSCRIPT
![Page 1: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/1.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
1
Network SecurityNetwork Security
Bijendra Jain([email protected])
![Page 2: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/2.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
2
Lecture 1: IntroductionLecture 1: Introduction
![Page 3: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/3.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
3
Top-level issuesTop-level issues Safety, security and privacy Security policy
– threats, both external and internal – economic gains– cost of securing resources– cryptographic methods vs. physical security
Information security:– nature of resources (HW, SW, information)– during storage, access and communication– limited to a single computer vs. network security– various layers (physical through application layers)
![Page 4: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/4.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
4
Security threatsSecurity threats Intentional vs. accidental Various forms of violations:
– Non-destructive– Destructive– Repudiation– Denial of service
Threat techniques:– crypt-analysis– snooping– masquerading– replay attacks– virus, worms– etc.
![Page 5: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/5.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
5
Security servicesSecurity services Services (or functions) vs. mechanisms Security functions:
– confidentiality– authentication– integrity– non-repudiation– access control– availability
![Page 6: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/6.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
6
Security mechanismsSecurity mechanisms Physical controls Audit trails Fraud detection (data mining) Steganography Encryption:
– private-key vs. public-key encryption– key generation, exchange, and management– certification
Firewalls etc.
![Page 7: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/7.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
7
Lecture 2: Symmetric-key Lecture 2: Symmetric-key encryptionencryption
![Page 8: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/8.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
8
Cryptographic systemsCryptographic systems Symmetric vs. asymmetric encryption Number of keys used Key lengths
Block vs. stream cipher Crypt-analysis (assume algorithm is known)
– ciphertext (only)– plaintext + ciphertext– chosen plaintext + ciphertext– chosen ciphertext + plaintext
Key size Possible no. of keys
Time to crack (1 encryption/microsec)
Time to crack (106 encryptions/microsec)
32 109 36 min 2. msec 56 1016 1100 years 10 hrs 128 1038 5 x 1024 years 5 x 1018 years 26 character permutation
1026 6 x 1012 years 6 x 106 years
![Page 9: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/9.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
9
Symmetric cryptographic systemSymmetric cryptographic system Symmetric encryption
– Plaintext, X– Ciphertext, Y– Secret keys for encryption, decryption, K
Secret key, K
Encrypt
EK(X)
Decrypt
DK(X)
Crypt-analysis
X Y X
K KSecure channel
Insecure channel
![Page 10: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/10.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
10
Asymmetric cryptographic systemAsymmetric cryptographic system Asymmetric encryption
– Plaintext, X– Ciphertext, Y– Two keys K1, and K2. One is secret, other is public– One of them (secret or public) is used to encrypt, the other for decryption– Helps with confidentiality, digital signatures
Key generation, management
Encrypt
EK(X)
Decrypt
DK(X)
Crypt-analysis
X Y X
K1 K2
Insecure channel
![Page 11: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/11.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
11
Symmetric encryptionSymmetric encryption Substitution cipher Transposition cipher DES Triple DES Blowfish, RC5, RC4, etc.
![Page 12: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/12.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
12
Substitution cipherSubstitution cipher Ceasar cipher
– encrypt C (p+k) mod n– decrypt p (C-k) mod n– assumes set of n characters– easily breakable in n-1 steps
Substitute using n x n table– encrypt Ci lookup_encrypt(pi)– decrypt pj lookup_decrypt(Cj)– 26! Different keys– may be broken using known “relative frequency” of each character– To counter:
use multiple symbols to substitute substitute multiple symbols at a time
– e.g. two letter strings at a time
![Page 13: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/13.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
13
Transposition cipherTransposition cipher Transposition example:
To make it more secure:– transposition it multiple times– combine it with substitution ciphers
Key 4 3 1 2 5 6 7Plaintext a t t a c k p
o s t p o n ed u n t I l tw o a m x y z
Ciphertext:TTNAAPTMTSUOAODWCOIXKNLYPETZ
![Page 14: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/14.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
14
DESDES Combination of several substitution and transposition ops
– Applied to each block of size 64 bits– Key is 56 bits– Uses portions of key at different steps– Uses techniques referred to by “diffusion and confusion”
Developed by IBM 1971-73, accepted by NBS (USA) as a standard in 1977 Primarily a block cipher
Decrypt
DK(X)
P1
K
C1
Encypt
EK(X)
C1
K
P1
![Page 15: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/15.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
15
DES encryption algorithmDES encryption algorithm
Initial permutation
Round 1
Round 2
Round 16
32-bit swap
Inverse permute
K1
K2
K16
Permuted key
Permuted key
Permuted key
Left circular shift
Left circular shift
Left circular shift
Permuted key
64-bit plaintext
64-bit ciphertext
56-bit key
![Page 16: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/16.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
16
Cipher Block ChainingCipher Block Chaining
Encrypt
EK(X)
C1
IV
K
+
P1
Encrypt
EK(X)
C2
+
P2
K
Decrypt
DK(X)
P1
IV
K
+
C1
P2
C2
Decrypt
DK(X)
K
+
Primarily a block cipher
–May be used in “block chaining mode”
![Page 17: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/17.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
17
Strength of DESStrength of DES Key size of 56 bits appears to be too small
– In 1993 Weiner developed HW device for $100K with 5760 search engines to break it in 35 hours
– In 1997, 70,000 systems on Internet discovered the key in less than 96 days (part of plaintext is given)
– Automating the process is difficult, unless plaintext is known Perhaps breakable by studying and exploiting weakness
– Differential cryptanalysis– Linear cryptanalysis
Trapdoor– US Govt changed the original design
Continues to enjoy wide acceptibility– Particularly with triple-DES (used in PGP)
![Page 18: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/18.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
18
Double-DESDouble-DES Two stages of encryption, using two different keys
Decrypt
EK2(X)
X
K2
Encypt
EK1(X)
CP
K1
![Page 19: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/19.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
19
Double-DESDouble-DES
“two stages cannot be reduced to one stage”:– for given K1, K2, there is no K s.t. EK2(EK1(P)) = EK(P)
Meet-in-the-middle attack– Let C = EK2(EK1(P)), and X = EK1(P) = DK2(C)
– Let known P and C
– Search for K1 and K2 such that X = EK1(P) = DK2(C)
– Complexity is O(256 + 256), not O(2128)
![Page 20: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/20.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
20
Triple-DESTriple-DES Three stages of encryption, using two different keys
Decrypt
EK2(X)
X1
K2
Encypt
EK1(X)
CP
K1
X2
Decrypt
EK3(X)
K3
![Page 21: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/21.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
21
IDEAIDEA International data encryption algorithm (IDEA) developed in 1991, gaining ground block cipher better understood US government has had no role in its design design principle:
– block size 64 bits– key length 128 bits– more emphasis on “diffusion” and “confusion”
uses three operations:– “exclusive-OR”, “addition”, “multiplication”
– some effort to make HW implementation easier
![Page 22: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/22.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
22
RC5RC5 developed by Rivest, in 1994 suitable for HW or SW implementation on
microprocessors– simple– different word length– low memory
high level of security– simpler determination of strength– variable no. of “rounds”, key length
![Page 23: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/23.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
23
BlowfishBlowfish Developed in 1993 block cipher up to 448 bit keys no known attacks simple, fast and compact
algorithm cycles/"round" No. of rounds cycles/byte encryptedBlowfish 9 16 18RC5 12 16 23DES 18 16 45IDEA 50 8 50Triple-DES 18 48 108
![Page 24: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/24.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
24
Summary: symmetric key encryptionSummary: symmetric key encryption Since the same key is used to encrypt and decrypt, the system is also know as
private-key encryption Symmetric key encryption
– uses shared secret keys– also known as “private-key” encryption
Primarily used for purpose of confidentiality– but may be used to authenticate as well, but may be “repudiated”
Key sharing or management is an issue– particularly when the no. of clients sharing the key is “large”
![Page 25: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/25.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
25
Application to confidentialityApplication to confidentiality Private-key encryption may be used to provide confidentiality of messages during transfer over LANs
and/or WANs At issue:
– what information: User data vs. headers Identity of correspondents vs. node/route identity
– in what layer, and between what points Link-layer vs. end-to-end vs. application level
Assumption: data over physical network is accessible– Wireless links– Employee of the network service provider– Your own colleagues
![Page 26: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/26.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
26
Link-level vs. end-to-end Link-level vs. end-to-end confidentialityconfidentiality
Host
A
Host
BRR
R
Link-level enrypt/ decrypt
End-to-end enrypt/ decrypt
![Page 27: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/27.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
27
Link-level vs. end-to-end Link-level vs. end-to-end confidentialityconfidentiality
Link-level encryption End-to-end encryption
Security within nodes, hosts
Exposed in intermediate nodesExposed in end hosts
Encrypted in intermediate nodesEncrypted/Decrypted by end hosts
Role of end devices, intermediate nodes
Intermediate nodes require encryption One key for each linkDone in hardware
Only end hosts need encryption One key per session/connectionPerhaps done in software
![Page 28: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/28.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
28
Traffic confidentialityTraffic confidentiality Issues:
– Identity of communicating entities– Identity of hosts, routers– Traffic volumes, patterns
Link-level encryption offers better confidentiality Padding may be used to “hide” patterns and volumes
![Page 29: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/29.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
29
Key distributionKey distribution Secret key must be distributed between the communicating entities, say A and B Link level encryption requires L number of keys to be distributed, one for each device at the end
of a link Host-to-host encryption requires N*(N-1)/2 keys to be distributed Two techniques:
– Physical delivery (works only in a very limited environs) A delivers it to B A trusted third party C delivers the key to A and to B
– Electronic delivery using an established secure connection or session A delivers it to B after suitably encrypting it A trusted third party C delivers the key to A and to B using secure channels to A and to B.
![Page 30: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/30.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
30
Key distributionKey distribution Electronic distribution by B to A, though process initiated by A
Above:– N1 and N2 are “nonce”, – MKm is the “master key” used by A and B– KS is the new “session key”– F is a well-known function, such as ADD 1
![Page 31: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/31.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
31
Key distributionKey distribution Electronic distribution by trusted third party C to A and to B
![Page 32: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/32.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
32
Key distributionKey distribution Above:
– KA and KB are keys used by A and B, respectively, to communicate with C
– IDA identifies entity A
![Page 33: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/33.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
33
Key distributionKey distribution Secure operation of these schemes, against:
– Masquerade– replay attacks
Other issues:– Hierarchy of keys– Lifetime of a session key– Generation of Nonce or Random numbers
![Page 34: Network security](https://reader033.vdocument.in/reader033/viewer/2022060117/5584c51bd8b42ae0138b475b/html5/thumbnails/34.jpg)
04/13/23 Tutorial on Network Security: Sep 2003
34
ThanksThanks