network security by georgi todorov dowling college oakdale
DESCRIPTION
TRANSCRIPT
![Page 1: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/1.jpg)
Network SecurityNetwork Security
by Georgi TodorovDowling College
Oakdale, NY, 11769http://mcs.dowling.edu/POCS/
by Georgi TodorovDowling College
Oakdale, NY, 11769http://mcs.dowling.edu/POCS/
POCS Seminar Series 2006POCS Seminar Series 2006
Creative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 License
![Page 2: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/2.jpg)
Outline
The Network Security Problem
Cryptography
Modern Cryptography
Symmetric-Key Algorithms
Cryptanalysis
Public-Key Algorightms
by Georgi Todorov Creative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 License
![Page 3: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/3.jpg)
Outline
Digital Signatures
IPSec
Firewalls
VPN
Wireless security
by Georgi Todorov Creative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 License
![Page 4: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/4.jpg)
Outline
Kerberos
PGP
SSL
Practical: GnuPG
by Georgi Todorov Creative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 LicenseCreative Commons Attribution-ShareAlike2.5 License
![Page 5: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/5.jpg)
The Network Security Problem
Computer Networks (before) - university researchers, corporate employees.
Computer Networks (now) - millions use it for banking, shopping, tax returns etc.
![Page 6: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/6.jpg)
The Network Security Problem
Security is concerned with preventing unauthorized access or use of information or resources.
Reasons for security problems: for fun, for revenge, for theft
![Page 7: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/7.jpg)
NOTE!!!
The biggest problems in security are caused by incompetent employees, bad security procedures, and inside attacks rather than decoding encrypted messages stolen from tapped phone lines.
![Page 8: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/8.jpg)
Cryptography“Cryptography or cryptology is a field of mathematics and computer science concerned with information security and related issues, particularly encryption and authentication.” - Wikipedia [1]
The term comes from Greek and it means “secret writing”, hence cryptology -> “the study of secret writing”
Cryptanalysis is the study of codebreaking
![Page 9: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/9.jpg)
Modern CryptographyModern cryptography includes the following main areas of study:
Symmetric-key cryptography
Public-key cryptography
Cryptanalysis
Cryptographic primitives
Cryptographic protocols
![Page 10: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/10.jpg)
Symmetric-key algorithm
“Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related cryptographic keys for both decryption and encryption.” - Wikipedia [2]
Two types:
Stream ciphers - one bit at a time
Block ciphers - number of bits(64) as a single unit
![Page 11: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/11.jpg)
Symmetric-key algorithm
Hundreds or thousands of times faster
Encryption functions are reversible
Same input produces same output
DES, AES
![Page 12: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/12.jpg)
Symmetric-key algorithm - DES (Data Encryption Standard)Developed by IBM and adopted by the U.S. Government in january 1977
Encoding:
Text is divided into 64 bits
First stage: Permutation of the text
16 rounds of processing: key(last32bits); XOR(first32bits,key(last32bits));Flip pair
Last stage: inverse permutation
Problems: too short -> 3DES (2 keys)
![Page 13: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/13.jpg)
Symmetric-key algorithm - AES (Advanced Encryption Standard)Developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen
Operates on a 4x4 array of bytes (or more for more than 128 bit key size). Each round of AES excluding the last one consist of four steps:
AddRoundKey, SubBytes, ShiftRows, MixColumns
For more info:http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
![Page 14: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/14.jpg)
CryptanalysisDifferential cryptanalysis -> technique for attacking any block cipher, stream ciphers and cryptographic hash functions. How differences in an input can affect the resultant difference at the output.
DES can be successfully broken with an effort on the order of 2^47 chosen plaintexts.
Linear cryptanalysis -> works by XORing certain bits in the plaintext and ciphertext together.
It can break DES in only 2^43 known plaintexts
Electrical power consumtion (3 volts for 1 and 0 for 0)-> very powerful
Timing analysis - if, else -> different timing
![Page 15: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/15.jpg)
Public-Key Algorithms
Based on the computational complexity of number theory
Encryption (public) key is different from the decryption(private) key. One cannot be forged by the other but one is inverse of the other.
Diffie-Hellman key exchange protocol -> the first to show that public-key cryptography was possible
![Page 16: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/16.jpg)
Public-Key Algorithms - RSA
(Rivest, Shamir, Adleman)
MIT 1978
It has survived ALL ATTEMPTS to break it.
One big disadvantage -> quite slow (at least 1024 bit keys)
Widely used today
![Page 17: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/17.jpg)
Public-Key Algorithms - RSA
(Rivest, Shamir, Adleman)
Summary:
Choose to large prime numbers p and q such that p != q, randomly and independently from each other
compute n = p*q
compute the totient Ф(n) = (p-1)(q-1)
Choose an integer e such that 1 < e < Ф(n), which is comprime to Ф(n)
Compute d such that de = 1 mod Ф(n).
![Page 18: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/18.jpg)
Public-Key Algorithms - RSA
(Rivest, Shamir, Adleman)Summary:
Public key consists of n and ePrivate key consists of n and d
Example:p = 61 — first prime number (to be kept secret or deleted securely)q = 53 — second prime number (to be kept secret or deleted securely)n = pq = 3233 — modulus (to be made public)e = 17 — public exponent (to be made public)d = 2753 — private exponent (to be kept secret)The public key is (e, n). The private key is d. The encryption function is:encrypt(m) = m^e mod n = m^17 mod 3233where m is the plaintext. The decryption function is:decrypt(c) = c^d mod n = c^2753 mod 3233where c is the ciphertext.To encrypt the plaintext value 123, we calculateencrypt(123) = 123^17 mod 3233 = 855To decrypt the ciphertext value 855, we calculatedecrypt(855) = 855^2753 mod 3233 = 123
![Page 19: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/19.jpg)
Public-Key Algorithms - RSA
(Rivest, Shamir, Adleman)
Security:
The RSA problem -> taking eth roots module a composite n: m^e=c mod n where (e,n) is the public key, and c is the ciphertext.
Factoring Large numbers -> As of 2005 the largest number factored b general-purpose methods was 663 bits long, using state-of-the-art distributed methods. No polunomail-time method is known so far!
![Page 20: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/20.jpg)
Digital Signatures
Symmetric-Key signatures - > requires central authority that knows everything and whom everyone trusts
Public-Key signatures -> eliminates the requirement of aa central authority
![Page 21: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/21.jpg)
Message DigestOne-way hash function
Simpler than signature
Properties:
Given P, it is easy to compute MD(P)
Given MD(P), it is effectively impossible to find P
Given P no one can find P’ such that MD(P’)=MD(P)
A change to the input of even 1 bit produces a very different output
MD5 and SHA-1
![Page 22: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/22.jpg)
IPSec
“IPsec (IP security) is a standard for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets. IPsec provides security at the network layer.” - Wikipedia [3]
Two modes: Tunnel mode: port-to-port communications securityTransparent mode: end-to-end security
Dominant use in VPNs
Mandatory part in IPv6
![Page 23: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/23.jpg)
Firewalls
Description by Andy Tanenbaum: “Firewalls are just a modern adaptation of that old medieval security standby: digging a deep moat around your castle. This design forced everyone entering or leaving the castle to passover a single drawbridge, where they could be inspected by the I/O police.” [4]
Network layer firewalls do not allow packets to pass through unless they match the rules. These rules are defined by the administrator, or build-in ones are used
Application layer firewalls may stop all packets coming from or to an application (browser, ftp, mail)
Proxies may act as firewall
NAT -> Network Address Translation -> multiple hosts behind a single IP
![Page 24: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/24.jpg)
VPN - Virtual Private Network
A overlay network on top of a public network with the properties of a private network.
Based on virtual circuits
Used to connect remote sites of a company
Secure VPN protocols include:
IPsec
SSL (OpenVPN, tun/tap)
PPTP(M$)
![Page 25: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/25.jpg)
Wireless Security
WEP (Wired Equivalent Privacy) - Stream cipher based on the RC4 algorithm
64bit WEP uses 40 bit key plus 24bit initialization vector forming RC4 traffic key.
After US Gov. restrictions were lifted, 128bit web with 104bit key size was introduced
Average break time 3 min
WPA and WPA2 (Wi-Fi Protected Access)128-bit key and 48-bit IV plus Temporal Key Integrity Protocol
Personal -> pre-shared key
Enterprise -> 802.11X authentication
Requires strong password for Personal
![Page 26: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/26.jpg)
Kerberos
Authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner
Builds on symmetric-key cryptography and requires trusted third party
Uses: OpenSSH, NFS, PAM, SOKS, Apache, Devicot IMAP3 and POP3 server and others
![Page 27: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/27.jpg)
Kerberos
Outline:Client and three servers(Authentication server, ticket-granting server and required service server)
client sends name to AS
AS sends session key and ticket to client encrypted with client’s secret key(ask for pwd and rm from system)
Client decrypts session and ticket and sends to TGS, encrypted with TGS’ secret key asking for ticket with SS
TGS returns two versions of the session key for client and SS, one encrypted with Client’s secret key and the other encrypted with SS’ secret key.
Now Client and SS can talk
If Client wants to talk to another SS, he sends a new ticket request directly to TGS
![Page 28: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/28.jpg)
PGP - Pretty Good Privacy
PGP provides cryptographic privacy, compression and authentication
Uses both public-key and symmetric-key cryptography
Outline:PGP generates MD5 of the message and encrypts the result with sender’s private RSA key
Encrypted hash and message are concatenated and compressed.
An IDEA message key is generated and used to encrypt the compressed with IDEA in cipher feedback mode
Also the key is encrypted with the recipient's public key.
Both are concatenated and converted to base64 and sent.
The recipient reverses base64, decrypts the IDEA with his private key, deripts the archive, extracts, and decrypts the hash using senders public key, than generates a new hash and compares both.
![Page 29: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/29.jpg)
PGP - Pretty Good Privacy
Supported RSA lengths:
1. Casual(384 bits): can be broken easily today.
2. Commercial(512 bits): breakable by three-letter organizations
3. Military ( 1024 bits): Not breakable by anyone on earth
4. Alien (2048 bits): Not breakable by anyone on other planets, either
Many public key servers are available
![Page 30: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/30.jpg)
SSL - Secure Sockets Layer/Transport Layer
Security (TLS)SSL exchanges records; each record can be optionally compressed, encrypted and packed with message authentication code. It also contains content_type field that specifies which upper layer protocol is being used.
Phases:
Peer negotiation for algorithm support
Public key encryption-based key exchange and certificate-based authentication
Symmetric cipher-based traffic encryption
Supported protocols:
RSA, Diffie-Hellman, DSA, Fortezza, RC2, RC4, IDEA, DES, 3DES, AES, MD5, SHA
SSL runs on layers beneath application protocols (HTML,SMTP,NNTP) and above the TCP transport protocol, which forms part of the TCP/IP protocol suite.
It can add security to any protocol that uses reliable connections.
![Page 31: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/31.jpg)
GnuPG
GnuPG - Complete implementation of the OpenPGP Internet standard
'GnuPG' currently supports ElGamal (signature and encrytion), DSA, AES, 3DES. Blowfish, Twofish, CASTS, MD5, SHA-1, RIPE-MD-160 and TIGER, and has language support for sixteen different languages.
http://eudoragpg.sourceforge.net/ver2.0/en/download/index.html -> Eudora plugin
http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html -> Apple Mail
http://enigmail.mozdev.org/download.html -> Mozilla, General Windows GnuPG
![Page 32: Network Security by Georgi Todorov Dowling College Oakdale](https://reader033.vdocument.in/reader033/viewer/2022061210/54903e06b479591e1d8b4e7d/html5/thumbnails/32.jpg)
References
[1] http://en.wikipedia.org/wiki/Cryptography
[2] http://en.wikipedia.org/wiki/Symmetric_key_algorithm
[3] http://en.wikipedia.org/wiki/IPsec
[4] Andrew Tanenbaum, “Computer Networks 4th Edition”, CH8,