network security david lazăr. contents security requirements and attacks confidentiality with...
TRANSCRIPT
![Page 1: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/1.jpg)
Network Security
David Lazăr
![Page 2: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/2.jpg)
Contents
• Security Requirements and Attacks
• Confidentiality with Conventional Encryption
• Message Authentication and Hash Functions
• Public-Key Encryption and Digital Signatures
• IPv4 and IPv6 Security
![Page 3: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/3.jpg)
Security Requirements
• Confidentiality
• Integrity
• Availability
![Page 4: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/4.jpg)
Passive Attacks
• Release of message content (eavesdropping)– Prevented by encryption
• Traffic Analysis– Fixed by traffic padding
• Passive attacks are easier to prevent than to detect
![Page 5: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/5.jpg)
Active Attacks
• Involve the modification of the data stream or creation of a false data stream
• Active Attacks are easier to detect than to prevent
![Page 6: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/6.jpg)
Active Attacks (cont.)
• Masquerade
• Replay
• Modification of messages
• Denial of service
![Page 7: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/7.jpg)
Conventional Encryption
Plain text
Encryption algorithm
Decryption algorithm
Plain text
Transmitted ciphertext
Shared secret key
![Page 8: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/8.jpg)
Conventional Encryption Requirements
• Knowing the algorithm, the plain text and the ciphered text, it shouldn’t be feasible to determine the key.
• The key sharing must be done in a secure fashion.
![Page 9: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/9.jpg)
Encryption Algorithms
• Data Encryption Standard (DES)– Plaintext: 64-bit blocks– Key: 56 bits– Has been broken in 1998 (brute force)
• Triple DES
• Advanced Encryption Standard (AES)– Plaintext: 128-bit blocks– Key: 128, 256 or 512 bits
![Page 10: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/10.jpg)
Location of Encryption Devices
PSN
PSN
PSN
PSN
PSN Packet Switching Node
End-to-end encryption device
Link encryption device
![Page 11: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/11.jpg)
Key Distribution
• Manual– Selected by A, physically delivered to B– Selected by C, physically delivered to A and B
• Automatic– The new key is sent encrypted with an old key– Sent through a 3-rd party with which A and B
have encrypted links
![Page 12: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/12.jpg)
Message Authentication
• Authentic message means that: – it comes from the alleged source– it has not been modified
![Page 13: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/13.jpg)
Message Authentication Approaches
• Authentication with conventional encryption
• Authentication without message encryption:– when confidentiality is not necessary– when encryption is unpractical
![Page 14: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/14.jpg)
Message Authentication Code
• Uses a secret key to generate a small block of data
MACM = F (KAB, M)
![Page 15: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/15.jpg)
One-way Hash Function
• Message digest – a “fingerprint” of the message
• Like MAC, but without the use of a secret key
• The message digest must be authenticated
![Page 16: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/16.jpg)
Secure Hash Requirements
• H can be applied to a block of any size• H produces a fixed-length output• H(x) is easy to compute• Given h, it is infeasible to compute x s.t.
H(x) = h• Given x, it is infeasible to find y s.t.
H(x) = H(y)• It is infeasible to find (x,y) such that
H(x) = H(y)
![Page 17: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/17.jpg)
Secure Hash Functions
• Message Digest v5 (MD5)– 128-bit message digest– has been found to have collision weakness
• Secure Hash Algorithm (SHA-1)– 160-bit message digest
![Page 18: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/18.jpg)
Public-Key Encryption
• Each user has a pair of keys:– public key– private key
• What is encrypted with one, can only be decrypted with the other
![Page 19: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/19.jpg)
Encryption
Plain text Plain text
Transmitted ciphertext
Bob’s public key
Alice Bob
Bob’s private key
![Page 20: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/20.jpg)
Authentication
Plain text Plain text
Transmitted ciphertext
Alice’s public key
Alice Bob
Alice’s private key
![Page 21: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/21.jpg)
Digital Signature
• Like authentication, only performed on a message authenticator (SHA-1)
![Page 22: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/22.jpg)
Public-Key Encryption Algorithms
• RSA (used by PGP)
• El Gamal (used by GnuPG)
![Page 23: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/23.jpg)
Key Management
• Public-Key encryption can be used to distribute secret keys for conventional encryption
• Public-Key authentication:– signing authority– web of trust
![Page 24: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/24.jpg)
IPv4 and IPv6 Security
• Provides encryption/authentication at the network (IP) layer
• IPSec applications:– Virtual Private Networking– E-commerce
![Page 25: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/25.jpg)
The Scope of IPSec
• Authentication Header (AH)– provides authentication only
• Encapsulation Security Payload (ESP)– provides encryption and authentication
• Key exchange function
![Page 26: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/26.jpg)
Security Association
• One-way relationship between two hosts, providing security services for the payload
• Uniquely identified by:– Security Parameter Index (SPI)– IP destination address– Security Protocol Identifier (AH/ESP)
![Page 27: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/27.jpg)
IPSec Operation Modes
• Transport mode:– provides protection to the upper layers– ESP: encrypts the payload and, optionally,
authenticates parts of the IP header– AH: authenticates the payload and parts of
the IP header
![Page 28: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/28.jpg)
IPSec Operation Modes
• Tunnel mode:– used when one/both of the ends is a security
gateway– the entire IP packet is encrypted (ESP) /
authenticated (AH) and encapsulated in an outer IP packet
![Page 29: Network Security David Lazăr. Contents Security Requirements and Attacks Confidentiality with Conventional Encryption Message Authentication and Hash](https://reader035.vdocument.in/reader035/viewer/2022062720/56649eff5503460f94c154a1/html5/thumbnails/29.jpg)
Key Management
• Manual– used for small networks– easier to configure
• Automated– more scalable– more difficult to setup– ISAKMP/Oakley