Security in Networks
CPSC 363 Computer Networks
Ellen Walker
Hiram College
(Includes figures from Computer Networking by Kurose & Ross, © Addison Wesley 2002;, 2006)
Goals for Secure Communication
• Only the designated recipient can read the message (Confidentiality)
• The sender and recipient are correctly identified to each other (Authentication)
• The message is received as it was sent (Message Integrity and Nonrepudiation)
• The network infrastructure is available for communication by legitimate users (Availability and Access Control)
Aspects of Security
• Encryption • Authentication• Ensuring message integrity• Network protection
– Firewalls– Attacks & Countermeasures
• Security crosses many layers of the network stack
Alice, Bob and Trudy
• Alice wants to communicate with Bob.• Trudy wants to intercept or disrupt communication.
securesender
securereceiver
channel data, control messages
data data
Alice Bob
Trudy
Who are Bob and Alice?
• Humans• Customer, store (credit card transaction)• Customer, bank• Store, supplier• Bank, central data warehouse• DNS servers exchanging addresses• …
What might Trudy do?
• Eavesdrop (intercept messages)• Insert messages into conversation• Impersonate someone (Alice, Bob or
someone else)• Hijack the conversation (replace Alice or Bob)• Denial of service (prevent this conversation
and any others)
Cryptography
• Disguise data so that only the designated recipients can read it (with a key)
• Long history, significant advances in past 30 years– The Association for Computing Machinery (ACM)
awarded the 2002 A.M. Turing Award, considered the "Nobel Prize of Computing," to Leonard M. Adleman, Ronald L. Rivest and Adi Shamir for their role in the creation of the world's most widely used public-key cryptography system, which has become known by their initials, RSA.
Cryptography Definitions
plaintext plaintextciphertext
KA
encryptionalgorithm
decryption algorithm
Alice’s encryptionkey
Bob’s decryptionkey
KB
Decrypt (Encrypt (text, Akey), Bkey) = text
Two kinds of keys
• Symmetric key systems– Encryption (sender’s) key = decryption
(recipient’s) key– Key must be exchanged privately first
• Public key systems– Encryption and decryption keys are different– Each individual has a public and private key
• Alice uses Bob’s public key to send to Bob• Bob uses his private key to read the message
Substitution Ciphers (Symmetric Key)
• Caesar Cipher– Substitute each letter by one k away in the alphabet (with
wrap)• If k=1, HAL becomes IBM• 25 different options (assuming 0 is not reasonable)
• Monoalphabetic Cipher– Substitute each letter by another arbitrarily
• Example: (A=X, B=A, C=F, … Y=O, Z=T) • 26! – 1 different options (all orders of 26 letters)
• Polyalphabetic Cipher– Use multiple monoalphabetic ciphers in a pattern, e.g. c1,
c2, c2, c1 for each 4-letter sequence
Attacking Substitution Ciphers
• Ciphertext only– Use letter frequency statistics (e.g. e is most frequent in
English text)– Use common patterns (e.g. “ing”, “ion”, “ed”)
• Known plaintext– Get pairings from known words (e.g. “bob” give b and o),
use those to get more words
• Chosen plaintext– If Trudy can get Alice to send a known message containing
all 26 letters…
• Steal the key (!)
DES: A Modern Symmetric-key System
• 64-bit key (really 56+8 parity bits)• Operates directly on binary data (64-bit
chunks)• “The goal is to completely scramble the data
and key … there should be no correlation between the ciphertext and either the original data or the key” [NIST 1999]
DES Encryption(56 bit)
2 permutation steps (first and last)
16 “rounds”, each using different 48 bits of key
Took 4 months to break by brute force in 1997
Broken in 22 hours in 1999
Strengthening DES
• Cipher-block chaining– Each 64-bit block is XOR’ed with the encrypted
previous block before encoding
• Triple-DES (3DES)– Run the algorithm 3 times with 3 different keys
• Advanced Encryption System (AES - 2001)– 128-bit blocks– Keys are 128, 192 and 256 bits long– If brute-force takes 1 sec on DES, it takes 149
TRILLION YEARS for AES
Problem with Symmetric Key
• How does Alice communicate to Bob what key to use?– Cannot send it in plaintext, it is too valuable– Use another symmetric key? (same problem!)– Use prior knowledge
• “Use the name of my dog when I was little…”
– Exchange key (physically) by secure courier• “One-time pad” – two identical sequences of secret keys,
each is used for one message and thrown away
Public Key Encryption• Every individual has two keys (public, private)
– My private key unlocks message encrypted with my public key (and vice versa)
– Private key cannot be computed from public key
plaintextmessage, m
ciphertextencryptionalgorithm
decryption algorithm
Bob’s public key
plaintextmessageK (m)
B+
K B+
Bob’s privatekey
K B-
m = K (K (m))B+
B-
Advantages
• No shared secrets! (No couriers needed)• Anyone can send an encrypted message to
anyone (also a disadvantage?)• If public key unlocks private key as well, we
have a way of authenticating signatures– Bob signs with his private key, Alice verifies it’s
Bob by decrypting with Bob’s public key
RSA Keys
• Choose 2 large prime numbers (p and q)• Compute n = p*q and z = (p-1)*(q-1)• Pick another number e, less than n and
relatively prime to z• Find a number d, so that (e*d-1)%z = 0• Public key is (n,e) and Private key is (n,d)
RSA Encryption / Decryption
• Let m be the message text (as a binary #)c = pow(m,e) % n // encryption
m = pow(c,d) % n // decryption
• Because of the choices of d and e, pow(m,d*e) % n = m (see p. 619)
• Also, d*e = e*d so we can use public, private key in either order
Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
Failure scenario??“I am Alice”
Authentication
Goal: Bob wants Alice to “prove” her identity to him
Protocol ap1.0: Alice says “I am Alice”
in a network,Bob can not “see”
Alice, so Trudy simply declares
herself to be Alice“I am Alice”
Authentication: another tryProtocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address
Failure scenario??
“I am Alice”Alice’s
IP address
Authentication: another tryProtocol ap2.0: Alice says “I am Alice” in an IP packet
containing her source IP address
Trudy can createa packet
“spoofing”Alice’s address“I am Alice”
Alice’s IP address
Authentication: another tryProtocol ap3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.
Failure scenario??
“I’m Alice”Alice’s IP addr
Alice’s password
OKAlice’s IP addr
Authentication: another tryProtocol ap3.0: Alice says “I am Alice” and sends her
secret password to “prove” it.
playback attack: Trudy records Alice’s
packetand later
plays it back to Bob
“I’m Alice”Alice’s IP addr
Alice’s password
OKAlice’s IP addr
“I’m Alice”Alice’s IP addr
Alice’s password
Authentication: yet another tryProtocol ap3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.
Failure scenario??
“I’m Alice”Alice’s IP addr
encrypted password
OKAlice’s IP addr
Authentication: another tryProtocol ap3.1: Alice says “I am Alice” and sends her
encrypted secret password to “prove” it.
recordand
playbackstill works!
“I’m Alice”Alice’s IP addr
encryptedpassword
OKAlice’s IP addr
“I’m Alice”Alice’s IP addr
encryptedpassword
Authentication: yet another tryGoal: avoid playback attack
Failures, drawbacks?
Nonce: number (R) used only once –in-a-lifetime
ap4.0: to prove Alice “live”, Bob sends Alice nonce, R. Alice
must return R, encrypted with shared secret key“I am Alice”
R
K (R)A-B
Alice is live, and only Alice knows key to encrypt
nonce, so it must be Alice!
Authentication: ap5.0ap4.0 requires shared symmetric key • can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography
“I am Alice”
RBob computes
K (R)A-
“send me your public key”
K A+
(K (R)) = RA
-K A
+
and knows only Alice could have the
private key, that encrypted R such that
(K (R)) = RA-
K A+
ap5.0: security holeMan (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
I am Alice I am Alice
R
TK (R)
-
Send me your public key
TK
+A
K (R)-
Send me your public key
AK
+
TK (m)+
Tm = K (K (m))+
T-
Trudy gets
sends m to Alice encrypted
with Alice’s public key
AK (m)+
Am = K (K (m))+
A-
R
ap5.0: security holeMan (woman) in the middle attack: Trudy poses as
Alice (to Bob) and as Bob (to Alice)
Difficult to detect: Bob receives everything that Alice sends, and vice versa. (e.g., so Bob, Alice can meet one week later and recall conversation) problem is that Trudy receives all messages as well!
Digital Signature
• Verifiable (signed by me)• Nonforgeable (only me)• Nonrepudiable (and I really signed it, no
matter what I say later)
Generating a Digital signature
• Use your private key to compute k-(m), where m is the message– If the message decoded using the public key k+
matches the message send using your public key, then the signature is true
• Assuming everyone keeps their private key private, only you could have signed the message– To forge signature, your private key is needed
Without Encryption, can we check…
• Sender is as claimed• Data has not been changed since sender
transmitted it
Message Digest
• Like a checksum• Compute a “fingerprint” H(m) of the message• H(m) is shorter than m• “sign” the digest instead of the message
– Shorter string to encode using private key
• H(m) is a hash function (like in hash tables)– It is computationally infeasible to find two different
messages with H(x) = H(y)
Finding a good Hash Function
• Internet checksum– Too many messages have the same result– We can easily get the same checksum by flipping the right
bits
• MD5 algorithm (Ron Rivest)– 128-bit message digest– Pad the message– Append message length– Initialize– Mangle (4 rounds)
• SHA-1 (Government standard, 160 bit)