Upload
dinah-goodwin
View
218
Download
0
Embed Size (px)
Citation preview
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Outline• Network Security Concepts
• Principles of cryptography
• Authentication
• Integrity
• Key Distribution and certification
• Security in many layers
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Network Security• Confidentiality (Secrecy): only sender, intended receiver
should “understand” message contents– sender encrypts message– receiver decrypts message
• Authentication: sender, receiver want to confirm identity of each other
• Message Integrity: sender, receiver want to ensure message is not altered (in transit, or afterwards) without detection
• Access and Availability: services must be accessible and available to users
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Friends and Enemies• well-known in network security world• “A” and “B” want to communicate “securely”• “C” (intruder) may intercept (passive intruder), delete,
add messages (active intruder)
securesender
securereceiver
channel data, control messages
data dataA
B
C
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Who Might A, B and C be?
Possible A and B
• real-life human users
• Web browser/server for electronic transactions (e.g., on-line purchases)
• on-line banking client/server
• DNS servers
• routers exchanging routing table updates
Possible C– eavesdrop: intercept
messages– actively insert messages into
connection– impersonation: can fake
(spoof) source address in packet (or any field in packet)
– hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place
– denial of service: prevent service from being used by others (e.g., by overloading resources)
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Outline• Network Security Concepts
• Principles of cryptography
• Authentication
• Integrity
• Key Distribution and certification
• Security in many layers
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
The Language of Cryptography
symmetric key cryptography: sender, receiver keys identical
public-key cryptography: encryption key public, decryption key secret (private)
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
A’s encryptionkey
B’s decryptionkey
KB
C
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Symmetric Key Cryptography
• substitution cipher: substituting one thing for another– Caesar cipher: taking each letter in the plaintext message
and substituting the letter that is k letters later (allowing wraparound), i.e. if k=4, then the letter "a" in plaintext becomes "d" in cipher text; "b" in plaintext becomes "e" in cipher text, and so on.
– monoalphabetic cipher: substitute one letter for another
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext: mnbvcxzasdfghjklpoiuytrewq
Plaintext: hello thereciphertext: acggk uacoc
E.g.:
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Symmetric Key Cryptography• Vigenere ciphers: uses multiple monoalphabetic ciphers,
with a specific monoalphabetic cipher to encode a letter in a specific position in the plaintext message.
• Example: two different Caesar ciphers C1( k=6) and C2(k=20), used in the repeating pattern C1, C2, C2. i.e. the first letter of plaintext is to encoded using C1, the second and third using C2. The pattern then repeats.
Plaintext: hello thereciphertext: mxeqh mmxkj
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Symmetric Key Cryptography
• Transposition Cipher:
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Symmetric Key Cryptography: DESDES: Data Encryption Standard: US
encryption standard [NIST 1993]
DES operation• 56-bit symmetric key, 64-bit plaintext input
• initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation
• How secure is DES?– DES Challenge: 56-bit-key-encrypted
phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months
– no known “backdoor” decryption approach
• making DES more secure:– use three keys sequentially (3-DES) on
each datum
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Public Key Cryptography
symmetric key cryptography• requires sender, receiver know
shared secret key
• Q: how to agree on key in first place (particularly if never “met”)
public key cryptography• radically different approach
[Diffie-Hellman76, RSA78]• sender, receiver do not
share secret key• public encryption key
known to all• private decryption key
known only to receiver
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Public Key Cryptography
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
B’s public key
plaintextmessageK (m)
B+
K B+
B’s privatekey
K B-
m = K (K (m))B+
B-
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Public Key Encryption Algorithms
• Requirements:1. need K+
B(.) and K-B(.) such that
2. given public key K+B it should be impossible
to compute private key K-B
RSA: Rivest, Shamir, Adelson algorithm
K (K (m)) = m BB
- +
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
RSA: Encryption DecryptionChoosing Keys• Choose two large prime numbers p, q. (e.g., 1024 bits each)• Compute n = pq, z = (p-1)(q-1)• Choose e (with e<n) that has no common factors with z. (e, z are
“relatively prime”).• Choose d such that ed-1 is exactly divisible by z. (in other words: ed
mod z = 1 ).• Public key is (n,e). Private key is (n,d).
K B+ K
B-
Encryption/Decryption1. Given (n,e) and (n,d) as computed above2. To encrypt bit pattern, m, compute
c= me mod n (i.e., remainder when me is divided by n)3. To decrypt received bit pattern, c, compute
m = cd mod n (i.e., remainder when cd is divided by n)
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
RSA Example
B chooses p=5, q=7. Then n=35, z=24.– e=5 (so e, z relatively prime).– d=29 (so ed-1 exactly divisible by z).
letter m me c = m mod ne
l 12 248832 17
c m = c mod nd
17 481968572106750915091411825223071697 12
cdletter
l
encrypt:
decrypt:
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
RSA: Property
• Why is that m = (m mod n)
e mod n
d
(m mod n)
e mod n = m mod n
d ed
Useful number theory result: If p,q prime and n = pq, then:
x mod n = x mod ny y mod (p-1)(q-1)
= m mod n
ed mod (p-1)(q-1)
= m mod n1
= m
(using number theory result above)
(since we chose ed to be divisible by(p-1)(q-1) with remainder 1 )
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
RSA: Property
RSA also holds the following property:
K (K (m)) = m BB
- +K (K (m))
BB+ -
=
use public key first, followed
by private key
use private key first,
followed by public key
Result is the same!
(md)e mod n = m = (me)d mod n
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Outline• Network Security Concepts
• Principles of cryptography
• Authentication
• Integrity
• Key Distribution and certification
• Security in many layers
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Authentication• Goal: B wants A to “prove” its identity to him• authentication must be done solely on the basis
of messages and data exchanged as part of an authentication protocol.
– Protocol ap1.0: A says “I am A”
A B
C
“I am A”
“I am A”
in a network,B can not “see” A, so
C simply declaresitself to be A
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Authentication• Protocol ap2.0: A says “I am A” in an IP packet
containing its source IP address
A B
C
“I am A”A’s
IP address
C can createa packet
“spoofing” with A’s address
“I am A”A’s
IP address
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
AuthenticationProtocol ap3.0: A says “I am A” and sends her secret
password to “prove” it.
“I’m A”A’s IP addr
A’s password
OKA’s IP addr
A B
C
playback attack: C records A’s packet
and laterplays it back to B
“I’m A”A’s IP addr
A’s password
OKA’s IP addr
“I’m A”A’s IP addr
A’s password
A B
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Authentication
• Protocol ap3.1: A says “I am A” and sends her encrypted secret password to “prove” it.
C
“I’m A”A’s IP addr
encrypted password
OKA’s IP addr
“I’m A”A’s IP addr
encrypted password
A Brecord
andplayback
still works!
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Authentication• Goal: avoid playback attack• Nonce: number (R) used only once –in-a-lifetime• ap4.0: to prove A is “alive”, B sends nonce, R to A. A
must return R, encrypted with shared secret key
“I am A”
R
K (R)A-B
A is live, and only A knows
key to encrypt nonce, so it must be A!
AB
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Authentication
ap4.0 requires shared symmetric key • can we authenticate using public key techniques?ap5.0: use nonce, public key cryptography
“I am A”
RB computes
K (R)A-
“send me your public key”
K A+
(K (R)) = RA
-K A
+
and knows only A could have the
private key, that encrypted R such that
(K (R)) = RA-
K A+
AB
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Authentication: Security Hole• Intruder in the middle attacks: C poses as A (to B) and
as B (to A)
I am A I am A
R
CK (R)
-
Send me your public key
CK
+A
K (R)-
Send me your public key
AK
+
CK (m)+
Cm = K (K (m))+
C-
C gets
sends m to A encrypted with A’s public key
AK (m)+
Am = K (K (m))+
A-
R
CA B
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Authentication: Security Hole
• Intruder in the middle attacks: C poses as A (to B) and as B (to A)
Difficult to detect:• B receives everything that A sends, and vice
versa. (e.g., so B, and A can meet one week later and recall conversation)
• problem is that C receives all messages as well!
CA B
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Outline• Network Security Concepts
• Principles of cryptography
• Authentication
• Integrity
• Key Distribution and certification
• Security in many layers
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Digital SignaturesCryptographic technique analogous to hand-written
signatures.• sender (B) digitally signs document, establishing he is document
owner/creator. • verifiable, non-forgeable: recipient (A) can prove to someone that B,
and no one else (including A), must have signed document
Simple digital signature for message m:• B signs m by encrypting with his private key K-
B, creating “signed” message, K-
B(m)
Dear A
Oh, how I have missed you. I think of you all the time! …(blah blah blah)
B
B’s message, m
Public keyencryptionalgorithm
B’s privatekey
K B-
B’s message, m, signed
(encrypted) with his private key
K B-(m)
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Digital Signatures
• Suppose A receives message m, digital signature K-B(m)
• A verifies m signed by B by applying B’s public key K+B
to K-B (m) then checks K+
B(K-B(m) ) = m.
• If K+B(K-
B(m) ) = m, whoever signed m must have used
B’s private key.A thus verifies that:
B signed m.No one else signed m.B signed m and not m’.
Non-repudiation:A can take m, and signature KB(m) to court and prove
that B signed m.
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Message Digests
Computationally expensive to public-key-encrypt long messages Goal: fixed-length, easy- to-compute digital
“fingerprint”• apply hash function H to m, get fixed size
message digest, H(m).Hash function properties:• many-to-1• produces fixed-size message digest (fingerprint)• given message digest x, computationally
infeasible to find m such that x = H(m)
large message
m
H: HashFunction
H(m)
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Digital Signature = Signed Message Digest
large message
mH: Hashfunction H(m)
digitalsignature(encrypt)
B’s private
key K B-
+
B sends digitally signed message:
A verifies signature and integrity of digitally signed message:
KB(H(m))-
encrypted msg digest
KB(H(m))-
encrypted msg digest
large message
m
H: Hashfunction
H(m)
digitalsignature(decrypt)
H(m)
B’s public
key K B+
equal ?
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Internet Checksum: Poor Hash Function• Internet checksum has some properties of hash function:
produces fixed length digest (16-bit sum) of message is many-to-one
• But given message with given hash value, it is easy to find another message with same hash value:
I O U 10 0 . 99 B O B
49 4F 55 3130 30 2E 3939 42 D2 42
message ASCII format
B2 C1 D2 AC
I O U 90 0 . 19 B O B
49 4F 55 3930 30 2E 3139 42 D2 42
message ASCII format
B2 C1 D2 ACdifferent messagesbut identical checksums!
Khaled Mahbub, IICT, BUET, 2008 ICT 6621 : Advanced Networking
Hash Function Algorithms• MD5 hash function widely used (RFC 1321)
– computes 128-bit message digest in 4-step process.
– arbitrary 128-bit string x, appears difficult to construct message m whose MD5 hash is equal to x.
• SHA-1 is also used.– US standard [NIST, FIPS PUB 180-1]– 160-bit message digest