Lecture 15-Network Security Part I

8/7/2019 Lecture 15-Network Security Part I

1/12

CS65-COMPUTER NETWORKS Dept. of EEE

Prepared by S.Muralidharan 1

14/4/2011

NETWORK SECURITY

24/4/2011

Network security is needed to protect data during their transmission and to guarantee that data transmissionsare authentic.

The three requirements of network security are : Secrecy : Information available in the computer should only be

accessed by the authorized users. Integrity : Information can only be modified by authorized

parties. Availability : Information made available only to authorized

parties.

34/4/2011

Security attack include : Interruption : System or information destroyed or unusable to

user. Interception : Unauthorized person or party gains access to the

data. Modification : Unauthorized person gains access to the data and

modify the data. Fabrication : Unauthorized person gains control over network

and transmit fabricated data Security attacks could be of

Passive attacks : monitors the transmissions and do not involveany modification of data.

Active attacks : it modifies the data

44/4/2011

Counter measures : Implementing encrypted data transfer Use of passwords/keys Usage of firewalls and network security protocols


2/12



54/4/2011

Cryptography

Cryptography is the art of converting the originalintelligible message, referred to as plaintext intorandom nonsense, referred to as ciphertext.

The process of converting the plaintext into ciphertext iscalled encryption. The reverse process is calleddecryption. The user can do the decryption only byusing a secret key.

can be characterized by:

type of encryption operations used substitution / transposition / product

number of keys used single-key or private / two-key or public

way in which plaintext is processed block / stream

64/4/2011

Plaintext vs. Ciphertext P(plaintext): the original form of a message C(ciphertext): the encrypted form

Basic operations plaintext to ciphertext: encryption: C = E(P) ciphertext to plaintext: decryption: P = D(C) requirement: P = D(E(P))

74/4/2011

Cryptography cryptography means hidden writing, the practice of using

encryption to conceal text

Cryptanalysis cryptanalyst studies encryption and encrypted message, with

the goal of finding the hidden meaning of the messages cryptanalyst can do any or all of three different things:

attempt to break a single message attempt to recognize patterns in encrypted messages, in order

to be able to break subsequent ones by applying astraightforward decryption algorithm

attempt to find general weakness in an encryption algorithm,without necessarily having intercepted any messages

Cryptology includes both cryptography and cryptanalysis

84/4/2011

Breakable encryption An encryption algorithm may be breakable, meaning that given

enough time and data, an analyst could determine the algorithm practicality is an issue

for a given cipher scheme, there may be 10 30 possibledecipherments, so the task is to select the right one out of the 10 30

cryptanalyst cannot be expected to try just the hard, longway another efficient algorithm may exist

estimates of breakability are based on current technology budget dependent


3/12



94/4/2011

Keyless Cipher a cipher that does not require the use of a key

key cannot be changed

Two forms of encryption substitution: one letter is exchanged for another transposition: the order of the letters is rearranged

104/4/2011

Simple substitution

Simple substitution use a correspondence table

substitute each character by another character or symbol

monoalphabetic cipher one-by-one

Named for Julious Caesar Caesar used a shift of 3

translation chart

E(TREATY IMPOSSIBLE) = wuhdwb lpsrvvleoh E(T) = w, E(R)=u, etc.

Plaintext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Ciphertext d e f g h I j k l m n o p q r s t u v w x y z a b c

The Caesar Cipher

114/4/2011

Advantages and Disadvantages of the Caesar Cipher advantage

easy to use

disadvantage simple structure easy to break

124/4/2011

Permutation based generalization of the Caesar cipher permutation

1-1

example: use more complex rule

use a key , a word that controls the enciphering

Plaintext A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Ciphertext k e y a b c d f g h i j l m n o p q r s t u v w x z

key: estart key: k key: y


4/12


5/12



174/4/2011

Transposition A transposition cipher is an encoding process thatdoes not change any of the letters of the original

message, but changes the position of the letters One simple transposition cipher reverses the order of

the letters. For example, the message

THE GAME IS AFOOT becomes the EHTEMAG SI TOOFA.

Such "backward writing" is easy to recognize anddecode.

By analogy, transposition ciphers are like jigsaw puzzles

All the pieces are present, its just a matter of putting them in the correct order

184/4/2011

Transposition-based Ciphers

In a transposition-based cipher, the order of theplaintext is not preserved

As a simple example, select a key such asCOMPUTER

Number the letters of the word COMPUTER in the

order they appear in the alphabet1 4 3 5 8 7 2 6

C O M P U T E R

194/4/2011

Transposition-based Ciphers (continued)

Now take the plaintext message and write it under thekey1 4 3 5 8 7 2 6

C O M P U T E R

t h i s i s t h

e b e s t c l a

s s i h a v e e

v e r t a k e n

204/4/2011

Transposition-based Ciphers (continued)

Then read the ciphertext down the columns, startingwith the column numbered 1, followed by columnnumber 2

TESVTLEEIEIRHBSESSHTHAENSCVKITAA


6/12



214/4/2011

Symmetric and AsymmetricKeys

224/4/2011

encryptionbox

decryptionbox

encrypted messageencrypted message

bad guylistening in

plain textplain textmessagemessage

plain textplain textmessagemessage

KEYKEY KEYKEY

234/4/2011

Features : As a password is used to

access a computer system, acryptographic key is apassword or passphrase that isused to unlock an encryptedmessage.

Mathematical functions thatwork in tandem with a key

Same plaintext data encryptsinto different cipher text withdifferent keys

Security of data relies on: Strength of the algorithm Secrecy of the key

Key Generation

244/4/2011

Key generation is the process of generating keys for cryptography. A key is used to encrypt and decrypt whatever data is being encrypted/decrypted.Modern cryptographic systems include symmetric-keyalgorithms (such as DES and AES) and public-keyalgorithms (such as RSA).

Symmetric-key algorithms use a single shared key; keeping datasecret requires keeping this key secret.Public-key algorithms use a public key and a private key. The

public key is made available to anyone (often by means of a digitalcertificate). A sender will encrypt data with the public key; only theholder of the private key can decrypt this data.

In encryption systems that use a cipher algorithm, messagescan be much longer than the key. The key must, however, belong enough so that an attacker cannot try all possiblecombinations.A key length of 80 bits is generally considered the minimumfor strong security with symmetric encryption algorithms. 128-bit keys are commonly used and considered very strong.


7/12



254/4/2011

Encryption with key encryption key: K E decryption key: K D C = E(K E, P) P = D(K D, E(K E, P))

Symmetric When encryption and decryption keys are the same

D and E are mirror images of each other

P = D (K, E(K,P)) Asymmetric

When the encryption and decryption keys are different

P = D(K D E (K E ,P))

264/4/2011

Encryption Decryption

Key

Plaintext CiphertextOriginal

Plaintext

Encryption Decryption

Plaintext CiphertextOriginal

Plaintext

Encyption KeyK E

Decyption KeyK D

KE KD

KE = KD

274/4/2011

Symmetric Vs AsymmetricAlgorithms

Type of Algorithm Advantages Disadvantages

Symmet ric Single key Require s sender and receiver to agree on a key beforetransmission of data

Security lies only with the keyHigh cost

Asymmetric Encryption anddecryption keys aredifferentDecryption key cannotbe calculated fromencryption key

Security of keys can becompromised when malicioususers post phony keys

284/4/2011

Symmetric Encryption


8/12



294/4/2011

Encryption Using aSymmetric Algorithm

304/4/2011

Symmetric Algorithms

Usually use same key for encryption and decryption Encryption key can be calculated from decryption key

and vice versa Require sender and receiver to agree on a key before

they communicate securely Security lies with the key Also called secret key algorithms, single-key algorithms,

or one-key algorithms

314/4/2011

Categories of Algorithms Stream algorithms

Operate on the plaintext one bit at a time

Block algorithms Encrypt and decrypt data in groups of bits, typically 64 bits in

size

Stream Cipher

convert one symbol of plaintext immediately intoa symbol of ciphertext

Block Cipher

convert a group of plaintext symbols as oneblock

324/4/2011

Stream Ciphers Advantage

Speed of Transposition Low error propagation

Disadvantage Low diffusion

subject to the tools such as frequency distribution, digram analysis,the index of coincidence, and the Kasiski method

Susceptibility to malicious insertions and modifications integrity


9/12



334/4/2011

Block Cipher

Disadvantages the strengths of stream cipher

speed error propagation

Advantages Diffusion

information from the plaintext if diffused into several ciphertext symbols one ciphertext block may depend on several plaintext letters

Immunity to insertions: integrity it is impossible to insert a single symbol into one block the length of the block would then be incorrect, and the decipherment

would quickly reveal the insertion active interceptor cannot simply cut one ciphertext letter out of a

message and paste a new one in to change an account, a time, a date,or a name of a message

344/4/2011

Asymmetric Algorithms Use different keys for encryption and decryption Decryption key cannot be calculated from the encryption

key Anyone can use the key to encrypt data and send it to

the host; only the host can decrypt the data Also known as public key algorithms

354/4/2011

Asymmetric Key Algorithm

364/4/2011


10/12



374/4/2011

Common Encryption Algorithms

Lucifer (1974) Diffie-Hellman

(1976) RSA (1977) DES (1977)

Triple DES (1998) IDEA (1992) Blowfish (1993) RC5 (1995)

384/4/2011

DIGITAL SIGNATURE

394/4/2011

A digital signature or digital signature scheme is amathematical scheme for demonstrating the authenticityof a digital message or document. A valid digitalsignature gives a recipient reason to believe that themessage was created by a known sender, and that itwas not altered in transit. Digital signatures arecommonly used for software distribution, financialtransactions, and in other cases where it is important todetect forgery or tampering.

Digital signatures employ a type of asymmetriccryptography.

404/4/2011

A digital signature scheme typically consists of threealgorithms: A key generation algorithm that selects a private key uniformly

at random from a set of possible private keys. The algorithmoutputs the private key and a corresponding public key .

A signing algorithm that, given a message and a private key,produces a signature.

A signature verifying algorithm that, given a message, publickey and a signature, either accepts or rejects the message'sclaim to authenticity.

Two main properties are required. First, a signature generated from a fixed message and fixed

private key should verify the authenticity of that message byusing the corresponding public key.

Secondly, it should be computationally infeasible to generate avalid signature for a party who does not possess the private key.


11/12



414/4/2011

Digital signature can provide authentication, integrity, andDigital signature can provide authentication, integrity, andnonrepudiationnonrepudiation for a message.for a message. Authentication : receiver needs to be sure of the senders

identity and an imposter has not sent the message. Integrity : the data must arrive at the receiver exactly as they

were sent. Nonrepudiation : the receiver must be able to prove that a

received message came from a specific sender.

The idea of digital signature is similar to the signing of adocument.

Signing the entire document Signing the condensed version of the document

424/4/2011

SIGNING THE ENTIRE DOCUMENT

The sender uses the private key to encrypt (sign). The receiver uses the public key of the sender to decrypt

the message. Digital signature does not provide privacy. If there is a

need for privacy, another layer of encryption/decryptionmust be applied.

434/4/2011

SIGNING THE DIGEST

To create digest of the message, a hash function isused. Most common hash function is MD5(Message Digest 5) and

SHA-1(Secure Hash Algorithm 1) MD5 creates 120-bit digest and SHA-1 creates 160-bit digest

444/4/2011

Hash function guarantee success. Because Digest can only be created from the message, not vice versa Hashing is one-to-one function; there is little probability that two

messages will create the same digest.

After the creation of digest, it is encrypted usingsenders private key.

Encrypted digest is attached to the original messageand sent to the receiver.

Receiver receives original message and encrypteddigest and apply hash function to create digest.

Receiver then decrypts the received digest using publickey of the sender.

If the two digests are the same the signature is valid.


12/12



454/4/2011 464/4/2011

474/4/2011

Contents of a typical digital certificate Serial Number : Used to uniquely identify the certificate. Subject : The person, or entity identified. Signature Algorithm : The algorithm used to create the signature. Issuer : The entity that verified the information and issued the certificate. Valid-From : The date the certificate is first valid from. Valid-To : The expiration date. Key-Usage : Purpose of the public key (e.g. encipherment, signature,

certificate signing...). Public Key : the purpose of SSL when used with HTTP is not just to

encrypt the traffic, but also to authenticate who the owner of the website is,and that someone's been willing to invest time and money into proving theauthenticity and ownership of their domain.

Thumbprint Algorithm : The algorithm used to hash the certificate. Thumbprint : The hash itself to ensure that the certificate has not been

tampered with.

Documents

Lecture 15-Network Security Part I