network security1 r taken mostly from “network and internetwork security” william stallings 1995...
TRANSCRIPT
![Page 1: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/1.jpg)
Network Security 1
Network Security
Taken mostly from “Network and Internetwork Security” William Stallings 1995
Overview Conventional encryption Confidentiality using conventional encryption Public-Key Cryptography Authentication and Digital Signatures Intruders Practice
![Page 2: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/2.jpg)
Network Security 2
Overview
What do we want to achieve?
Alice Bob
Trudy
![Page 3: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/3.jpg)
Network Security 3
Security Services
Confidentiality Authentication Integrity Non-repudiation Access Control Availability
![Page 4: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/4.jpg)
Network Security 4
Confidentiality
The data must be hidden Trudy cannot see the message Trudy cannot seen that a message was sent
How long must confidentiality be preserved?
![Page 5: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/5.jpg)
Network Security 5
Authentication
Are the receiver and sender who they claim to be? Am I really talking to Bob? Is that really Alice telling me that she no
longer loves me?
![Page 6: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/6.jpg)
Network Security 6
Integrity
Ensure the entire message is transmitted, and nothing in addition to the entire message Alice says “Please buy 100 shares of Nortel” Bob see “Please buy 100,000 shares of
Nortel”
![Page 7: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/7.jpg)
Network Security 7
Non-Repudiation
After the message is transmitted and received, neither party can deny that fact “No, really, I certainly did not order 100,000
shares of Nortel at $125 per share last March.”
Note: Alice and Bob do not necessarily trust each other!
![Page 8: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/8.jpg)
Network Security 8
Access Control
Control access to hosts and applications Everything looks like its from Alice, but it
turns out that Trudy has broken into Alice’s machine and successfully emulated Alice
![Page 9: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/9.jpg)
Network Security 9
Availability
The communication channel must remain open “That’s odd, I haven’t heard from Alice in
three weeks, and she usually calls me twice a day.”
![Page 10: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/10.jpg)
Network Security 10
Security Threats
Passive Attacks Content observation
• “I wonder want people would think if they knew what Alice and Bob were planning?”
Traffic Analysis• “Gee, the American third battalion was
transmitting more and more information, and then they suddenly ceased all communication.”
![Page 11: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/11.jpg)
Network Security 11
Interruption
Trudy prevents Alice from talking to Bob
Alice Bob
Trudy
![Page 12: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/12.jpg)
Network Security 12
Interception
Trudy overhears Alice’s message
Alice Bob
Trudy
![Page 13: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/13.jpg)
Network Security 13
Modification
Trudy changes Alice’s message
Alice Bob
Trudy
![Page 14: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/14.jpg)
Network Security 14
Fabrication
Trudy send a message claiming to be from Alice
Alice Bob
Trudy
![Page 15: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/15.jpg)
Network Security 15
Conventional Encryption Model AKA:
Symmetric shared-key single-key private-key
Plaintext: the original message Ciphertext: the encrypted message Secret key: the key used to encrypt and
decrypt the message
![Page 16: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/16.jpg)
Network Security 16
Model
MessageSource
MessageDestination
Encrypt
decrypt
Cryptanalyst
X
Y
X
X?
K?
Secret Key
Secure Channel
Insecure Channel
![Page 17: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/17.jpg)
Network Security 17
Conventional Encryption Model Message Source: X = [X1,X2, … XM] M elements are over some finite
alphabet Y = [Y1,Y2, … YN]
Y = EK(X)
X = DK(Y)
![Page 18: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/18.jpg)
Network Security 18
The Opponent: Cryptanalyst
Kerchoff’s Principle The security of a cryptosystem must not
depend on keeping the algorithm secret Types of Attack:
Ciphertext only Known plaintext Chosen plaintext
![Page 19: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/19.jpg)
Network Security 19
Degree of Security
Unconditionally secure The ciphertext does not contain sufficient
information to uniquely determine the corresponding plaintext
One time pad Computationally secure
The cost of breaking the cipher exceeds the value of the encrypted information
The time required exceeds the useful lifetime of the information
![Page 20: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/20.jpg)
Network Security 20
Classical Encryption Techniques Steganography:
“Covered Writing” Examples:
• Character marking• Invisible ink• Pin punctures• Use low-order bits of image encoding• Communication frequency• Etc.
Drawbacks:• Fails Kerchoff’s principle!
![Page 21: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/21.jpg)
Network Security 21
Steganography (a) Three zebras and a tree. (b)
Three zebras, a tree, and the complete text of five plays by William Shakespeare.
![Page 22: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/22.jpg)
Network Security 22
Cryptography
Operation types: Substitution v. Transposition
Number of keys 1: private key, symmetric, secret- or single-
key 2: public key, asymmetric, two-key
Data processing Block v. Stream
![Page 23: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/23.jpg)
Network Security 23
Substitution
Caesar Monoalphabetic Multi-letter Polyalphabetic
One-time pad
![Page 24: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/24.jpg)
Network Security 24
Caesar Cipher
Meet me after the toga party Phhw pd diwhu wkh wrjd sduwb
C = E(p) = (p+k)mod(26) For the above, k = 3 p = D(C) = (C-k)mod(26)
![Page 25: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/25.jpg)
Network Security 25
Caesar Security
Vulnerable to brute-force attack Algorithms are known 25 possible keys Language of plaintext is known
![Page 26: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/26.jpg)
Network Security 26
Monoalphabetic Ciphers
Use arbitrary substitution Key is then 26 character mapping 26! (>4x1026) possible keys (DES has only 256 or >7x1016 keys)
So what is UZQSOVUOHXMOPVGP … ?
![Page 27: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/27.jpg)
Network Security 27
How Secure is Monoalphabet? Vulnerable to letter-frequency analysis In English:
E 12.75% T 9.25% R 8.50% Etc.
Based on frequency of letters in ciphertext, make tentative assignment
Then move to digraph and trigraph frequency analysis E.g. “t?e” is probably “the”
![Page 28: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/28.jpg)
Network Security 28
Better Monoalphabets
Use homophones E.g. use several different mappings for the
letter “e” This eliminates the single-letter frequency
information But it doesn’t eliminate digraph, trigraph,
etc. frequency information The basic problem is that the ciphertext
is maintaining the structure of the original
![Page 29: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/29.jpg)
Network Security 29
Multi-letter encryption
Monoalphabet: E(l): L -> L Multiletter: E(l1 l2 … lN): LN -> LN
Playfair algorithm:• Given a key “monarchy” create the following
table
M O N A R
C H Y B D
E F G I/J K
L P Q S T
U V W X Z
![Page 30: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/30.jpg)
Network Security 30
Multi-letter encryption Encode letter pairs as follows:
Letter pairs with duplicate letters are separated by a filler letter
If letters are on the same row, use the letter to the right
If letters are in the same column, use the letter below
Otherwise, form a square and use the other corners
Thus: “bad grade” first becomes “ba” “’dg” “ra” “de”
And then: “IB” “YK” “MR” “KC”
![Page 31: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/31.jpg)
Network Security 31
Is Playfair Any Good?
Digraphs are harder to identify Considered unbreakable for a long time
Used by British in WWI US Army in WWII
Actually relatively easy to break Letter frequencies are still far from equal
![Page 32: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/32.jpg)
Network Security 32
Polyalphabetic Ciphers
Use a set of monoaphabetic ciphers Key determines which cipher is used for
which letter Vigenere cipher
a is shift by 0, b is shift by 1, etc. Now use a keyword repetitively to
determine the encoding Thus “deceptive” encoding
“wearediscovered” produces “ZICVTWQNGRZGVTW”
![Page 33: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/33.jpg)
Network Security 33
Breaking Polyalphabetic Ciphers First determine key length
E.g. sequence VTW is repeated at length 9• Therefore length is either 3 or 9
Then we have a key length monoalphabetic ciphers
Use autokey system: The key specifies the initial encoding The remainder is determined by the message Problem: key and plaintext share same letter
frequency distribution
![Page 34: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/34.jpg)
Network Security 34
One-Time Pad
Vernam (1918) ci = pi XOR ki
Theoretically unbreakable Why? Because if we have a message of length N,
and we try all possible keys, we will simply generate all possible messages of length N.
Thus: “Attack at dawn” could also decode to “Eat a Big Mac!” using brute force attack
![Page 35: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/35.jpg)
Network Security 35
One-Time Pad
So why not use it everywhere? Key size Key distribution Correctly generating random key Must destroy pad after use
• Why?
![Page 36: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/36.jpg)
Network Security 36
Transposition
Reorder letter sequence Rail fence E.g. “meet me at the toga party” with rail
fence of length 4 becomes MMTOAEEHGREAEATTTTPY
Trivial to cryptanalyze
ME E T
ME A T
T H E T
O G A P
A R T Y
![Page 37: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/37.jpg)
Network Security 37
Transposition
Improvements Use a key to permute the columns Thus using key 4312 to permute the
columns, we get• TTTPYEAEATMMTOAEEHGR
Doesn’t help much, because the letter frequencies remain the same and the structure is still fairly close to the original
Look at the letter positions:• 4 8 12 16 20 3 7 11 15 19 1 5 9 13 17 2 6 10 14
18
![Page 38: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/38.jpg)
Network Security 38
Multistage Transposition
Re-encode the ciphertext using the same (or a different!) key Thus, if we re-encode using the 4312 key,
we get PEMERTAMAGTYATETETOH Which has the letter positions
• 16 11 5 2 18 12 7 1 17 14 4 20 15 9 6 8 3 19 13 10
T T T P
Y E A E
A T M M
T O A E
E H G R
4 8 12 16
20 3 7 11
15 19 1 5
9 13 17 2
6 10 14 18
![Page 39: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/39.jpg)
Network Security 39
Rotor Machines
Single rotor is a monoalphabet that rotates by one after each key input
Thus equivalent to polyalphabet with period equal to size of alphabet
Concatenate rotors, and rotate at different speeds Thus inner rotor rotates one per key press Next rotor rotates one per inner rotor rotation For three rotors, 26x26x26 = 17,576 different
substitution alphabets before repetition
![Page 40: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/40.jpg)
Network Security 40
Data Encryption Standard (DES)
FIPS PUB 46 (1977) See http://www.itl.nist.gov/fipspubs/fip46-
2.htm Encrypts 64-bit blocks using a 56-bit key Same steps, same key to decrypt Started as project LUCIFER, used 128-bit key,
for Lloyd’s of London Reduced key size to 56 bits to fit on chip Two complaints:
Key size reduction S-box structure was classified
![Page 41: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/41.jpg)
Network Security 41
Initial Permutation Permuted Choice 1
Permuted Choice 2 Left Circular ShiftIteration 1
Iteration 16 Permuted Choice 2 Left Circular Shift
Inverse Initial Permutation
64-bit plaintext
64-bit ciphertext
K1
32-bit swap
56-bit key
K16
![Page 42: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/42.jpg)
Network Security 42
Operations
Initial Permutation and Inverse Initial Permutations follow the rule: X = IIP(IP(X))
They probably add nothing to the strength of DES
![Page 43: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/43.jpg)
Network Security 43
Li = R i-1
Ri = Li-1 (+) f(Ri-1,Ki)
![Page 44: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/44.jpg)
Network Security 44
Dealing With Keys First
Permuted choice 1 and 2 and the left-shifts are specified by the standard.Permuted choice 2 throws away bits 9, 18, 22, 25, 35, 38, 43, and 54 yielding a key of length 48 bits.
![Page 45: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/45.jpg)
Network Security 45
A Single Iteration of f(R,K)
E = ExpansionP = PermuteS = S Boxes(Each of these is specified by the standard)
![Page 46: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/46.jpg)
Network Security 46
DES Decryption
Runs the encryption process in the same way, except the sequence of 48-bit keys (K1 to K16) is applied in the reverse order Recall
• Li = Ri-1
• Ri = Li-1 (+) f(Ri-1,Ki)
Thus• Ri-1 = Li
• Li-1 = Ri (+) f(Ri-1,Ki) = Ri (+) f(Li,Ki)
![Page 47: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/47.jpg)
Network Security 47
Avalanche Effect
A small change in plaintext or key should cause a large change in ciphertext
DES exhibits this well A single bit change in the key or plaintext
results in around half of the ciphertext bits changing
![Page 48: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/48.jpg)
Network Security 48
Concerns about DES
256 possible keys Brute-force attack with special-purpose
hardware (costing around $250,000) EEF cracked DES encrypted text in 56 hours (1998) Note: this would require knowledge of the
plaintext nature so as to automate detection of a valid output
![Page 49: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/49.jpg)
Network Security 49
Differential Cryptanalysis
First reported in open literature in 1990 Chosen plaintext attack where the effect
of the difference between plaintext choices is observed through the DES operation, to enable probably key determination
DES is fairly secure against such attacks due to the S-Boxes and the permutation after each iteration
Requires 247 rounds with 247 chosen texts
![Page 50: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/50.jpg)
Network Security 50
Modes of Operation
Electronic Codebook (EBC) Each block encoded independently
Cipher Block Chaining (CBC) XOR each block of plaintext with ciphertext
of previous block At decryption, XOR ciphertext of previous
block with decrypted output Need initialization vector for first block
![Page 51: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/51.jpg)
Network Security 51
Cipher Block Chaining Mode
Cipher block chaining. (a) Encryption. (b) Decryption.
![Page 52: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/52.jpg)
Network Security 52
Modes of Operation
Cipher Feedback (CFB) Used for streaming data – j bits at a time Start with initialization vector and encrypt Select j bits of output
• This is XORed with the plaintext for transmission• This j-bit ciphertext is shifted into the IV for
computing the next j-bit output• Decryption is the same process
Output Feedback (OFB) Almost same as CFB, but don’t XOR before
shifting for next encryption
![Page 53: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/53.jpg)
Network Security 53
Cipher Feedback Mode
(a) Encryption. (c) Decryption.
![Page 54: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/54.jpg)
Network Security 54
Stream Cipher Mode
A stream cipher. (a) Encryption. (b) Decryption.
![Page 55: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/55.jpg)
Network Security 55
Counter Mode
Encryption using counter mode.
![Page 56: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/56.jpg)
Network Security 56
Triple DES
DES maps 264 -> 264
How do we know that C = Ek1(Ek2(P)) is not equivalent to C = Ek3(P)? Because for each key we must get a unique
mapping, where there are (264)! Possible permutations of input blocks
(Note, this is evidence, not proof ; Proof came in 1992)
![Page 57: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/57.jpg)
Network Security 57
So Why Not Double DES?
Meet in the middle attack Given known plaintext/ciphertext pair:
Encrypt P for all possible keys K1
Decrypt C for all possible keys K2
Check for matches. These are possible keys• Check against another plaintext/ciphertext pair
Requires O(256) work Also requires O(256) space!
![Page 58: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/58.jpg)
Network Security 58
Triple DES
C = Ek1(Dk2(Ek1(P))) Why this way?
Because if K1 = K2 then it reduces to DES
112-bit key No known practical attack on Triple DES
![Page 59: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/59.jpg)
Network Security 59
So What Do We Do With DES? What do we encrypt? Where do we encrypt? How do we distribute keys?
![Page 60: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/60.jpg)
Network Security 60
What and Where?
The network is generally considered to be untrustworthy Broadcast LANs
• Ethernet• 802.11
Physical penetration to wiring closet Interception of Microwave and Satellite
communication Separate authority domains
![Page 61: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/61.jpg)
Network Security 61
Link v. End to End
Link: How?
• Encrypt all link-layer traffic• Decrypt and re-encrypt at routers to enable
forwarding Advantages
• Network addresses (thus ultimate destination) is not visible
• One key per link Disadvantages
• Every network provider must provide it– But can still see message in the clear at the router
• Every customer gets it, whether they need it or not
![Page 62: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/62.jpg)
Network Security 62
End-to-End Encryption
How? Source encrypts Final destination decrypts
Advantages Only those who need it use it Intermediate routers cannot decrypt User authentication Easy to change encryption scheme
Disadvantages Anyone can see the final destination One key per communicating pair Key distribution is more problematic
What layer? Network? Transport? Application?
![Page 63: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/63.jpg)
Network Security 63
Key Distribution
If I always use the same key, then if that key is compromised, all prior communication is compromised Need frequent key exchange System is only as secure as key distribution
scheme
![Page 64: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/64.jpg)
Network Security 64
Basic Schemes
Alice gives Bob the key Alice gives her faithful friend Trish Trudy
Peterson (TTP) the key to deliver to Bob Alice uses the previous key to encrypt
the new key and send it to Bob Alice and Trish share a key KA. Bob and
Trish share a key KB. Trish delivers a key K to Alice and Bob allowing them to communicate
![Page 65: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/65.jpg)
Network Security 65
Key Distribution Centre (KDC)
Alice tell Trish that she wishes to talk to Bob (encrypted with KA)
Trish responds with a KA-encrypted message containing K, Time, and a KB-encrypted copy of K, Alice’s identity, and the Time
Alice sends Bob the KB-encrypted message together with her K-encrypted message
Bob decrypts the KB-encrypted messages, extracts K and can then decrypt Alice’s message
The time information is verified to ensure that this is not a replay-attack
![Page 66: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/66.jpg)
Network Security 66
KDC in Pictures
Alice Bob
KDC
1 2
3
4
5
![Page 67: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/67.jpg)
Network Security 67
How do I scale a KDC?
Hierarchical Key Control Each KDC is responsible for a small domain KDCs the communicate using the next level
in the hierarchy
Alice Bob
Alice’s KDC Bob’s KDC
Master KDC
1
23
4
5
6
![Page 68: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/68.jpg)
Network Security 68
Public Key Cryptography
symmetric key crypto requires sender,
receiver know shared secret key
Q: how to agree on key in first place (particularly if never “met”)? Though this
same problem appears to some extent in public-key cryptography
public key cryptography
radically different approach [Diffie-Hellman76, RSA78]
sender, receiver do not share secret key
encryption key public (known to all)
decryption key private (known only to receiver)
![Page 69: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/69.jpg)
Network Security 69
Public key cryptography
Figure 7.7 goes here
![Page 70: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/70.jpg)
Network Security 70
Public Key Requirements
Computationally easy to generate eB, dB
compute eB(M)
compute dB(eB(M))
Computationally infeasible to compute dB given eB and eB (M) for an arbitrary number
of messages M M given eB and eB(M)
Nice to have eB(dB(M)) = dB(eB(M)) = M
![Page 71: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/71.jpg)
Network Security 71
Diffie-Hellman Key Exchange
Given a large prime, q, and r < q is r primitive root of q r is a primitive root iff for all z < q, rz
mod(q) are distinct integers
Then, Alice selects private ka < q and calculates public pa = rkamod(q)
Likewise, Bob selects private kb < q and calculates public pb = rkbmod(q)
Public keys are exchanged
![Page 72: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/72.jpg)
Network Security 72
Session Key
Session key K = (pb)ka mod(q) = (pa)kb mod(q)
Proof (pb)ka mod(q) = (rkbmod(q))ka mod(q)
= (rkb)ka mod(q) = (rkb x ka mod(q) = (rka)kb mod(q) = (rkamod(q))kb mod(q) = (pa)kb mod(q)
![Page 73: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/73.jpg)
Network Security 73
Comments on Diffie-Hellman
Security comes from the fact that computing discrete logarithms is hard That is, given knowledge of q, r and
rkmod(q) it is not feasible to compute private key k
Do not need to use the same value for private key every time
Vulnerable to (wo)man-in-the-middle attack
![Page 74: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/74.jpg)
Network Security 74
Rivest-Shamir-Adelman (RSA)
1. Choose two large prime numbers p, q. (e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors with z. (e, z are “relatively prime”).
4. Choose d such that ed-1 is exactly divisible by z. (in other words: ed mod z = 1 ).
5. Public key is (n,e). Private key is (n,d).
![Page 75: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/75.jpg)
Network Security 75
RSA: Encryption, decryption
0. Given (n,e) and (n,d) as computed above
1. To encrypt bit pattern, m, compute
c = m mod n
e (i.e., remainder when m is divided by n)e
2. To decrypt received bit pattern, c, compute
m = c mod n
d (i.e., remainder when c is divided by n)d
m = (m mod n)
e mod n
dObserve:
![Page 76: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/76.jpg)
Network Security 76
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.e=5 (so e, z relatively prime).d=29 (so ed-1 exactly divisible by z.
letter m me c = m mod ne
l 12 1524832 17
c m = c mod nd
17 481968572106750915091411825223072000 12
cdletter
l
encrypt:
decrypt:
Extension: Use RSA to exchange keys, Use DES to converse
![Page 77: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/77.jpg)
Network Security 77
Computational Aspects
Note that when we compute cdmod(n) we do not need to do the full computation of cd and the divide by n to see the remainder
Why? cdmod(n) = c2c(d-2)mod(n)
= c2mod(n)c(d-2)mod(n) Better: cdmod(n) = (c2)(d/2)mod(n)
= (c2mod(n))(d/2)mod(n)
![Page 78: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/78.jpg)
Network Security 78
RSA: Why: m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Number theory result: If p,q prime, n = pq, then
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
![Page 79: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/79.jpg)
Network Security 79
Key Management
Distribution of public keys How to distribute How to revoke
Use of public-keys to distribute secret keys
![Page 80: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/80.jpg)
Network Security 80
Distribution of Public Keys
Public announcement Key authority
Certificates Web of Trust
![Page 81: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/81.jpg)
Network Security 81
Public Announcement
Send the key to other participants Append public key on all e-mail (PGP) Place on web-page Problem:
Forged announcement
![Page 82: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/82.jpg)
Network Security 82
Key Authority
Have a publicly available directory containing a name/public key database Keys must be registered with authority
securely Key replacement by the same secure
mechanism Alice requests Bob’s public key from
directory Directory responds with encrypted (using
directory’s private key) copy of Bob’s key, the original request, and the original message timestamp
Bob’s key can be kept for future use
![Page 83: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/83.jpg)
Network Security 83
Certificates
Do not want to contact key authority every time we need a public key
Solution: a certificate that contains
• Public key• Proof that the public key originates with the
certificate authority Only the CA can create a certificate Any participant can verify the certificate
![Page 84: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/84.jpg)
Network Security 84
Basic Mechanism for Certificate Certificate authority encrypts (using its
private key) the following three things: Timestamp Identity of Alice Public Key of Alice
Alice may now give this certificate to Bob Bob will decrypt the certificate using the
public key of the CA Bob now has public key for Alice that can only
have been provided by the CA
![Page 85: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/85.jpg)
Network Security 85
Certificates
A possible certificate and its signed hash.
![Page 86: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/86.jpg)
Network Security 86
X.509
The basic fields of an X.509 certificate.
![Page 87: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/87.jpg)
Network Security 87
Certificate Chains
As with the KDC hierarchy, we do not wish to all have to go to one location to get certificates Root CA (e.g. Verisign) CAs ‘R’ Us Root CA generates certificate for CAs ‘R’ Us CAs ‘R’ Us generates certificate for Bob Alice has public key for Root
• Uses it to determine public key for CAs ‘R’ Us• Which can then be used to determine public key
for Bob
![Page 88: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/88.jpg)
Network Security 88
Public-Key Infrastructures
(a) A hierarchical PKI. (b) A chain of certificates.
![Page 89: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/89.jpg)
Network Security 89
Web of Trust
Anyone can create such a certificate Bob and Trish were at a party, and Trish
created such a certificate for Bob’s public key
Alice and Trish were at a different party, and Trish gave Alice a copy of her public key
Alice uses Trish’s public key to decode the certificate from Bob
![Page 90: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/90.jpg)
Network Security 90
Web of Trust (2)
Trish knows Alice and Mary Alice has Trish’s public key Trish creates a certificate for Mary’s public
key Mary knows Bob
Mary creates a certificate for Bob’s public key
Alice can now follow the chain to determine Bob’s public key
![Page 91: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/91.jpg)
Network Security 91
PPP: Particularly Paranoid People Select multiple independent sources for
certificates If they all agree on the public key, then
it is probably valid This applies to both certificate
authorities and web of trust
![Page 92: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/92.jpg)
Network Security 92
Key Revocation
What happens when Alice’s key is compromised?
Solutions: Use short-durations certificates Use revocation lists from certificate
authorities
![Page 93: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/93.jpg)
Network Security 93
Attacks
Get the private key of the root authority Compromise client software
Change the self-signing certificate Capture the decrypted output Etc.
![Page 94: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/94.jpg)
Network Security 94
Secret Keys
Problem: Public-key encryption is computationally
slow DES is relatively fast
Use PKE to exchange a DES key, and then use DES to exchange data
More on this when we discuss authentication and digital signatures
![Page 95: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/95.jpg)
Network Security 95
Authentication and Digital Signatures Requirements
No disclosure No masquerade No replay No sequence modification No timing modification No repudiation
Functions Encryption Cryptographic Checksum Hash Function
![Page 96: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/96.jpg)
Network Security 96
Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
Failure scenario??
![Page 97: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/97.jpg)
Network Security 97
Authentication: another try
Protocol ap2.0: Alice says “I am Alice” and sends her IP address along to “prove” it.
Failure scenario??
![Page 98: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/98.jpg)
Network Security 98
Authentication: another try
Protocol ap3.0: Alice says “I am Alice” and sends her secret password to “prove” it.
Failure scenario?
![Page 99: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/99.jpg)
Network Security 99
Authentication: yet another try
Protocol ap3.1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it.
Failure scenario?
I am Aliceencrypt(password)
![Page 100: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/100.jpg)
Network Security 100
Authentication: yet another try
Goal: avoid playback attack
Failures, drawbacks?
Figure 7.11 goes here
Nonce: number (R) used only once in a lifetime
ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key
![Page 101: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/101.jpg)
Network Security 101
Figure 7.12 goes here
Authentication: ap5.0
ap4.0 requires shared symmetric key problem: how do Bob, Alice agree on key can we authenticate using public key
techniques?
ap5.0: use nonce, public key cryptography
![Page 102: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/102.jpg)
Network Security 102
Figure 7.14 goes here
ap5.0: security hole
Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice)
![Page 103: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/103.jpg)
Network Security 103
Digital Signatures
Cryptographic technique analogous to hand-written signatures.
Sender (Bob) digitally signs document, establishing he is document owner/creator.
Verifiable, nonforgeable: recipient (Alice) can verify that Bob, and no one else, signed document.
Simple digital signature for message m:
Bob encrypts m with his public key dB, creating signed message, dB(m).
Bob sends m and dB(m) to Alice.
![Page 104: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/104.jpg)
Network Security 104
Digital Signatures (more)
Suppose Alice receives msg m, and digital signature dB(m)
Alice verifies m signed by Bob by applying Bob’s public key eB to dB(m) then checks eB(dB(m) ) = m.
If eB(dB(m) ) = m, whoever signed m must have used Bob’s private key.
Alice thus verifies that: Bob signed m. No one else signed m. Bob signed m and not
m’.Non-repudiation:
Alice can take m, and signature dB(m) to court and prove that Bob signed m.
![Page 105: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/105.jpg)
Network Security 105
Message Digests
Computationally expensive to public-key-encrypt long messages
Goal: fixed-length,easy to compute digital signature, “fingerprint”
apply hash function H to m, get fixed size message digest, H(m).
Hash function properties: Produces fixed-size msg
digest (fingerprint) Given message digest x,
computationally infeasible to find m such that x = H(m)
computationally infeasible to find any two messages m and m’ such that H(m) = H(m’).
![Page 106: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/106.jpg)
Network Security 106
Digital signature = Signed message digestBob sends digitally signed
message:Alice verifies signature and
integrity of digitally signed message:
![Page 107: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/107.jpg)
Network Security 107
Hash Function Algorithms
Internet checksum would make a poor message digest. Too easy to find
two messages with same checksum.
MD5 hash function widely used. Computes 128-bit
message digest in 4-step process.
arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x.
SHA-1 is also used. US standard 160-bit message digest
![Page 108: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/108.jpg)
Network Security 108
Secure e-mail
• generates random symmetric private key, KS.• encrypts message with KS
• also encrypts KS with Bob’s public key.• sends both KS(m) and eB(KS) to Bob.
• Alice wants to send secret e-mail message, m, to Bob.
![Page 109: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/109.jpg)
Network Security 109
Secure e-mail (continued)
• Alice wants to provide sender authentication message integrity.
• Alice digitally signs message.• sends both message (in the clear) and digital signature.
![Page 110: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/110.jpg)
Network Security 110
Secure e-mail (continued)
• Alice wants to provide secrecy, sender authentication, message integrity.
Note: Alice uses both her private key, Bob’s public key.
![Page 111: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/111.jpg)
Network Security 111
Pretty good privacy (PGP)
Internet e-mail encryption scheme, a de-facto standard.
Uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described.
Provides secrecy, sender authentication, integrity.
Inventor, Phil Zimmerman, was target of 3-year federal investigation.
---BEGIN PGP SIGNED MESSAGE---Hash: SHA1
Bob:My husband is out of town tonight.Passionately yours, Alice
---BEGIN PGP SIGNATURE---Version: PGP 5.0Charset: noconvyhHJRHhGJGhgg/
12EpJ+lo8gE4vB3mqJhFEvZP9t6n7G6m5Gw2
---END PGP SIGNATURE---
A PGP signed message:
![Page 112: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/112.jpg)
Network Security 112
Secure sockets layer (SSL)
PGP provides security for a specific network app.
SSL works at transport layer. Provides security to any TCP-based app using SSL services.
SSL: used between WWW browsers, servers for I-commerce (shttp).
SSL security services: server authentication data encryption client authentication
(optional)
Server authentication: SSL-enabled browser
includes public keys for trusted CAs.
Browser requests server certificate, issued by trusted CA.
Browser uses CA’s public key to extract server’s public key from certificate.
Visit your browser’s security menu to see its trusted CAs.
![Page 113: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/113.jpg)
Network Security 113
SSL (continued)
Encrypted SSL session: Browser generates
symmetric session key, encrypts it with server’s public key, sends encrypted key to server.
Using its private key, server decrypts session key.
Browser, server agree that future msgs will be encrypted.
All data sent into TCP socket (by client or server) i encrypted with session key.
SSL: basis of IETF Transport Layer Security (TLS).
SSL can be used for non-Web applications, e.g., IMAP.
Client authentication can be done with client certificates.
![Page 114: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/114.jpg)
Network Security 114
Secure electronic transactions (SET)
designed for payment-card transactions over Internet.
provides security services among 3 players: customer merchant merchant’s bankAll must have certificates.
SET specifies legal meanings of certificates. apportionment of
liabilities for transactions
Customer’s card number passed to merchant’s bank without merchant ever seeing number in plain text. Prevents merchants
from stealing, leaking payment card numbers.
Three software components: Browser wallet Merchant server Acquirer gateway
See text for description of SET transaction.
![Page 115: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/115.jpg)
Network Security 115
IPsec: Network Layer Security Network-layer secrecy:
sending host encrypts the data in IP datagram
TCP and UDP segments; ICMP and SNMP messages.
Network-layer authentication destination host can
authenticate source IP address
Two principle protocols: authentication header
(AH) protocol encapsulation security
payload (ESP) protocol
For both AH and ESP, source, destination handshake: create network-layer
logical channel called a service agreement (SA)
Each SA unidirectional. Uniquely determined by:
security protocol (AH or ESP)
source IP address 32-bit connection ID
![Page 116: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/116.jpg)
Network Security 116
ESP Protocol Provides secrecy, host
authentication, data integrity.
Data, ESP trailer encrypted. Next header field is in ESP
trailer.
ESP authentication field is similar to AH authentication field.
Protocol = 50.
![Page 117: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/117.jpg)
Network Security 117
Authentication Header (AH) Protocol
Provides source host authentication, data integrity, but not secrecy.
AH header inserted between IP header and IP data field.
Protocol field = 51. Intermediate routers
process datagrams as usual.
AH header includes: connection identifier authentication data: signed
message digest, calculated over original IP datagram, providing source authentication, data integrity.
Next header field: specifies type of data (TCP, UDP, ICMP, etc.)
![Page 118: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/118.jpg)
Network Security 118
System Security
Network Security =/= System Security Most common attacks exploit
Buffer overflow• E.g. bind, Windows XP, …
Protocol vulnerability• E.g. NFS
Weak passwords• Weak defaults
User behaviour Denial of Service
![Page 119: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/119.jpg)
Network Security 119
Buffer Overflow
Read in text from user with function such as gets()
No matter how big a buffer is allocated, the attacker can send in a larger amount
If heap allocated, will overflow on the heap Harder to exploit
If stack allocated, can easily change the return address of the function call
![Page 120: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/120.jpg)
Network Security 120
Buffer Overflow Solutions
Use library calls that have limits on what the amount of copying they will do
Use a language that performs array-bounds checking
Limit services that are offered on the system
![Page 121: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/121.jpg)
Network Security 121
Protocol Vulnerabilities
ARP: Need access to LAN Wait till machine X is down Respond to ARP request as X
NFS No per-user authentication No revocation Access by IP address; group and user IDs
![Page 122: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/122.jpg)
Network Security 122
Weak Password Solutions
Run crack programs to check the passwords
Require strong passwords at selection time
Require frequent changes Biometric Login
E.g. face recognition Passwordless solutions
![Page 123: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/123.jpg)
Network Security 123
User Behaviour
E-mail attachments can be executable, but not look like they are executable E.g. my.pictures.yahoo.com
Compromised machines can then contact other machines, and therefore look reputable
![Page 124: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/124.jpg)
Network Security 124
Denial of Service
Send more in than can come out E.g. SYN attack
Distributed DoS: Use a set of compromised machines No known solution at present
![Page 125: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/125.jpg)
Network Security 125
Skills
Most attacks are “script kiddies” See www.rootshell.com Defense is not much better
![Page 126: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/126.jpg)
Network Security 126
Defense Mechanisms
Configuration management What services are run? Are they patched? Is this realistic?
Firewalls Packet filtering Application-level gateway
Antivirus measures Intrusion Detection
![Page 127: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/127.jpg)
Network Security 127
Firewalls
Two firewall types: packet filter application
gateways
To prevent denial of service attacks: SYN flooding: attacker
establishes many bogus TCP connections. Attacked host alloc’s TCP buffers for bogus connections, none left for “real” connections.
To prevent illegal modification of internal data. e.g., attacker replaces
CIA’s homepage with something else
To prevent intruders from obtaining secret info.
isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others.
firewall
![Page 128: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/128.jpg)
Network Security 128
Packet Filtering
Internal network is connected to Internet through a router.
Router manufacturer provides options for filtering packets, based on: source IP address destination IP address TCP/UDP source and
destination port numbers
ICMP message type TCP SYN and ACK bits
Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. All incoming and outgoing
UDP flows and telnet connections are blocked.
Example 2: Block inbound TCP segments with ACK=0. Prevents external clients
from making TCP connections with internal clients, but allows internal clients to connect to outside.
![Page 129: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/129.jpg)
Network Security 129
Fragmentation Attack
Use IP fragmentation to get past the firewall
Send a small initial fragment that looks acceptable
The second fragment overwrites most of the first
![Page 130: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/130.jpg)
Network Security 130
Application gateways
Filters packets on application data as well as on IP/TCP/UDP fields.
Example: allow select internal users to telnet outside.
host-to-gatewaytelnet session
gateway-to-remote host telnet session
applicationgateway
router and filter
1. Require all telnet users to telnet through gateway.2. For authorized users, gateway sets up telnet
connection to dest host. Gateway relays data between 2 connections
3. Router filter blocks all telnet connections not originating from gateway.
![Page 131: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/131.jpg)
Network Security 131
Limitations of firewalls and gateways
IP spoofing: router can’t know if data “really” comes from claimed source
If multiple app’s. need special treatment, each has own app. gateway.
Client software must know how to contact gateway. e.g., must set IP
address of proxy in Web browser
Filters often use all or nothing policy for UDP.
Tradeoff: degree of communication with outside world, level of security
Many highly protected sites still suffer from attacks.
![Page 132: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/132.jpg)
Network Security 132
Anti-Virus Mechanisms
Ross Anderson: filter out Microsoft executables at the firewall Web-based e-mail gets around the firewall
Two main techniques Look for virus signature Look at program behaviour
![Page 133: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/133.jpg)
Network Security 133
Intrusion Detection
Assume that system will become compromised, then detect Misuse detection
• Honey trap Anomaly detection
Many false positives If accuracy is 99.9% and there are ten
attacks per million sessions, what is the ratio of false alarms to real alarms?
![Page 134: Network Security1 r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality](https://reader031.vdocument.in/reader031/viewer/2022013004/56649efc5503460f94c0fdc8/html5/thumbnails/134.jpg)
Network Security 134
Network Security (summary)
Basic techniques…... cryptography (symmetric and public) authentication message integrity…. used in many different security scenarios secure email secure transport (SSL) IP sec Firewalls Etc.