CS 453CS 453Computer NetworksComputer Networks

Lecture 25Lecture 25

Introduction to Network SecurityIntroduction to Network Security

Network Security

Data networks have become the core communication conduit for local, regional and global communicationsOnce the esoteric domain of computer scientists……no longer…Now data communications network are primary means of communications worldwide

Network Security

Data communications networks carry Medical records Critical health care data Banking and financial information National security secrets …. …and of course, Youtube and our email

Network Security

The point – data networks are critical Lives, livelihoods, economy and countries depend on

them

Not only must they be present and operational, ..

But the must be secure

…and this is not just about people to people, organization to organization communications, but

The network itself

Network Security

So what do we mean by secure? Confidential communications – some messages

should only be read by the intended receiver Authentication – we want to have confidence that a

message come from who we thought it came from Integrity and nonrepudiation – that the message

received is the one sent, it has not been altered or tampered with

Availability and access control – make network resilient to security threats and only let agents use the network that should be using the network and…

…and only in the way they are authorized to use it

Network Security

In part, network security means protecting the network Building in safeguards and protections Monitoring for attacks and intrusions… And responding to these threats and

intrusions with newer better protections

Network Security

Confidentiality – Encryption

If we want to make sure that only the intended recipient of a message can understand the message, we need to disguise it –

..That is encryption

Network Security

Encryptions basics – Imagine Alice and Bob They are two routers in a network And they need to send messages to each

other

Network Security

Encryptions basics – Alice send a message “Bob, I Love You, Alice”

to Bob The message as is is referred to as “cleartext” But Alice will encrypt it – The encrypted form is called “ciphertext”

Network Security

Encryptions basics – Alice will use a key Ka to encrypt the

message m… Bob will use another (possibly the same) key

Kbto unencrypt the message m Alice sends Ka(m) to Bob… Bob processes the ciphertext with

Kb(Ka(m))=m

Network Security

Encryptions basics – Symmetric key encryption – both keys are

identical and secret Public Key encryption – A pair of keys are

used one known to everyone – And one known only to the receiver (or sender) but not both

Network Security

Encryptions basics – Caesar ciper – encode text using an offset in

the alphabet … For example, if K=3, then A=D, B=E, … …or I Love You = l oryh brx Easy to crack, crack one symbol and you

crack the code

Network SecurityEncryptions basics –

Monoalphabetic cipher – define an arbitrary mapping between cleartext symbols and ciphertext symbols

So, something likea b c d e f … m n b v c x … So, maybe “I Love You” i s “s gktc wky” Caesar cipher – key has 26 possible values Monoalphabetic cipher key has 26! possible values Harder to crack… But not that hard Why?

Network SecurityEncryptions basics –

Polyalphabetic cipher Use multiple monoalphabetic ciphers And use them in repeating sequences to encrypt a

message Suppose we have two cipher c1 and c2 We could use the sequece c1, c1, c2, c1, c1 That is, encrypt the first symbol with c1, then second

symbol with c1, third symbol with c2, …

Its getting harder to crack

Network SecurityData Encryption Standard (DES) NIST – 1993 Symmetric key for commercial and

nonclassified use Encrypt messages in 64 bit pieces using 56

bit keys Involves multiple “shuffles” and permutions of

the data… See Kaufman (1995) for details

Network SecurityData Encryption Standard (DES) Is it good? RSA challenge to break DES encryption -

1997 Group of internet volunteers –

Cracked the code in less than 4 monthAnd earn $10k

In 1999 – another group of internet volunteers

Cracked the code in 22 hours

Network SecurityData Encryption Standard (DES) 2001 NIST proposed a successor to DES –

Advanced Encryption Standard (AES) Encrypts 128 bit blocks

Uses 128, 192, 256 bit keys NIST estimates that if a computer could crack

a 56 DES code in one second… It would that the same computer 149 trillion

years to crack a 128 bit AES key

Network SecurityData Encryption Standard (DES) 2001 NIST proposed a successor to DES –

Advanced Encryption Standard (AES) Encrypts 128 bit blocks

Uses 128, 192, 256 bit keys NIST estimates that if a computer could crack

a 56 DES code in one second… It would that the same computer 149 trillion

years to crack a 128 bit AES key

Network SecuritySymmetric Key Encryption Requires sender and receiver both to have a

key, … And the sender and receiver key have to be

identical But how to they get these keys They can’t transmit them The can’t encrypt them then transmit them

Network SecurityPublic Key Encryption Imagine – Bob has two keys

One (Kb-pub) is a public which he will share with anyone

One (Kb-pri) is private and not shared with anyone

A message encrypted with Bob’s Kb-pub can only be decrypted with Bob’s Kb-pri

Kb-pri(Kb-pub(m)) = m

Network SecurityPublic Key Encryption Bob has two keys

So, if Alice wants to send Bob an encrypted message…

She must first request a copy of Bob’s public key – Kb-pub

Alice then encrypts the message using Kb-pub and an agreed upon encryption algorithm…

… and send the message

Bob receives the message, and…

Decrypts is using his private key Kb-pri

Network SecurityPublic Key Encryption Takes care of confidentiality Recall that in symmetric key encryption—

the keys were secret, so

Under normal circumstances you can assume that if a message arrived that had been encrypted with that key, it came from the source that you think it came from…

Unless it was stolen (that’s what spies are for)

Network SecurityPublic Key Encryption …but with Public Key Encryption anyone can

get the public key, so you don’t know if the message really came from Alice, even it is says it did.

i.e. can’t do authentication

Network SecurityPublic Key Encryption Algorithms

RSA Public Key Encryption –widely used Choose two large prime numbers p and q Compute n = pq and z=(p-1)(q-1) Choose a number e, less than n- has no

common factors (except 1)with z Find a number d, where ed-1 is evenly

divisible by z Public key Kpub =(n,e) Private key Kpri = (n,d)

Network SecurityPublic Key Encryption Algorithms

RSA Public Key Encryption Then for a message m, we encrypt

C = me mod n And decrypt –

M = cd mod n

Remember Alice has e

And only Bob has d

Network SecurityPublic Key Encryption AlgorithmsRSA Public Key Encryption Suppose Bob picks p=5 and q=7 n=35 and z=24 Choose e=5 since 5(e) and 24(z) have no

common factors Choose d=29 since ed-1 mod z = 0 (5*29)-1

mod 24 =0 Bob give Alice his Kpub which is e Alice encrypts the message “hi” and sends to

Bob

Network SecurityRSA Public Key Encryption

Cleartext Numeric value me C=me mod n

h 68 1453933568 3

i 69 1564031349 34

C cd M=cd mod n cleartext

3 6.86304E13 68 h

34 2.58755E44 69 i

Bob decrypts with d=29, n=35

Alice encrypts with e=5, n=29

Network SecurityAuthentication – is it really who we think it is?

Host-based authentication Message have IP address of source So, authenicate based on IP address in

message header Easy to fake, IP spoofing

Network SecurityAuthentication

Password authentication Use a password in a message … Or to establish a connection Easy to capture password, especially if

cleartext Sniffing

Network SecurityAuthentication

Encrypted Password authentication Encrypt a password and use it in a message Or to establish a connection Still can capture encrypted password… And play it back when password needed Playback attack

Network SecurityAuthentication

Public Key authentication Just like data stream encryption we can use

Public Keys to encrypt password for authentication

Alice wants to send a message to Bob… Bob send Alice his public key Alice encrypts her password with Bob’s public

key, and transmit SSH

Network SecurityPublic Key authentication

Man-in-the-middle attackBob wants to send a message to AliceCarol sends Bob her public key saying it is from Alice, Carol also obtains Alice’s public key (it is public)Bob sends a message to Alice using Carol’s public key and Carol intercepts itCarol decrypts and reads the messageCarol encrypts the message with Alice’s public keyAnd sends it to Alice saying it is from Bob…and no one is the wiser

Network SecurityData integrity – is really the right data

We need some way to assure the receiver that the message contents are really the message contents that were sent

In the paper world we sign reports, expense accounts statements, etc. to vouch for the accuracy (integrity) of the information in the reports or statements

…so

Network SecurityData integrity

Digital signatures Encrypt a document using a private key What? BTW, public/private keys are two way If I encrypt with my private key, since it

is not public, I had to be the one that encrypted it (my signature)

Network SecurityData integrity

Digital signatures Note: it the message is altered after it is

digitally signed. Kpub(Kpri(M)) will not result in m i.e. it will not decrypt

Network SecurityData integrity

Message digests Digital signatures are expensive Alternative Create a message digest

Use Hash function – like CRC, Checksum Then digitally sign the message digest MD5

Network SecurityData integrity

Message digests Original message is sent in cleartext… Along with digitally signed message

digest Receiver computes second message

digest on received message If two message digests match, message

is good

Network SecurityAccess control

Firewalls Packet Filtering

IP source or destination address

TCP or UDP port numbers

ICMP message types

Connect initiation datagrams using SYN and ACK bits

Network SecurityAccess control

Firewalls Packet Filtering Controlled by rules

Permit this, deny that Order of evaluation of rules important

Network SecurityAccess control

Firewalls Application Gateways

Sometimes packet filtering is not enough

Maybe you want certain authenticated users to be able to use a service from specific IP addresses but not others

Application Gateways are intermediate services – connect to gateway, the gateway connects to the service of interest

Network SecurityAccess controlFirewalls Application Gateways

For example, suppose you want to let certain users telnet out of the network, but not everyoneUser wanting to Telnet out, telnets to telnet gatewayUser authenticates to gatewayUser provide gateway with telnet destinationGateway telnets to destinationGateway relays telnet packet between user and service

Network SecurityThreats Mapping – port scanning Packet sniffing Spoofing Denial of Service Attacks

See: http://en.wikipedia.org/wiki/Denial_of_service

“That’s all I have to say about that.”Forest Gump