1 / 32

Network Security

POCS Seminar Series 2006 Network Security by Georgi Todorov Dowling College Oakdale, NY, 11769 http://mcs.dowling.edu/POCS/ Creative Commons Attribution-ShareAlike2.5 License Outline The Network Security Problem Cryptography Modern Cryptography Symmetric-Key Algorithms Cryptanalysis

Leo
Download Presentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. POCS Seminar Series 2006 Network Security • by Georgi Todorov • Dowling College • Oakdale, NY, 11769 • http://mcs.dowling.edu/POCS/ Creative Commons Attribution-ShareAlike2.5 License

  2. Outline • The Network Security Problem • Cryptography • Modern Cryptography • Symmetric-Key Algorithms • Cryptanalysis • Public-Key Algorightms by Georgi Todorov Creative Commons Attribution-ShareAlike2.5 License

  3. Outline • Digital Signatures • IPSec • Firewalls • VPN • Wireless security by Georgi Todorov Creative Commons Attribution-ShareAlike2.5 License

  4. Outline • Kerberos • PGP • SSL • Practical: GnuPG by Georgi Todorov Creative Commons Attribution-ShareAlike2.5 License

  5. The Network Security Problem • Computer Networks (before) - university researchers, corporate employees. • Computer Networks (now) - millions use it for banking, shopping, tax returns etc.

  6. The Network Security Problem • Security is concerned with preventing unauthorized access or use of information or resources. • Reasons for security problems: for fun, for revenge, for theft

  7. NOTE!!! • The biggest problems in security are caused by incompetent employees, bad security procedures, and inside attacks rather than decoding encrypted messages stolen from tapped phone lines.

  8. Cryptography • “Cryptography or cryptology is a field of mathematics and computer science concerned with information security and related issues, particularly encryption and authentication.” - Wikipedia [1] • The term comes from Greek and it means “secret writing”, hence cryptology -> “the study of secret writing” • Cryptanalysis is the study of codebreaking

  9. Modern Cryptography • Modern cryptography includes the following main areas of study: • Symmetric-key cryptography • Public-key cryptography • Cryptanalysis • Cryptographic primitives • Cryptographic protocols

  10. Symmetric-key algorithm • “Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related cryptographic keys for both decryption and encryption.” - Wikipedia [2] • Two types: • Stream ciphers - one bit at a time • Block ciphers - number of bits(64) as a single unit

  11. Symmetric-key algorithm • Hundreds or thousands of times faster • Encryption functions are reversible • Same input produces same output • DES, AES

  12. Symmetric-key algorithm - DES (Data Encryption Standard) • Developed by IBM and adopted by the U.S. Government in january 1977 • Encoding: • Text is divided into 64 bits • First stage: Permutation of the text • 16 rounds of processing: key(last32bits); XOR(first32bits,key(last32bits));Flip pair • Last stage: inverse permutation • Problems: too short -> 3DES (2 keys)

  13. Symmetric-key algorithm - AES (Advanced Encryption Standard) • Developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen • Operates on a 4x4 array of bytes (or more for more than 128 bit key size). Each round of AES excluding the last one consist of four steps: • AddRoundKey, SubBytes, ShiftRows, MixColumns • For more info:http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

  14. Cryptanalysis • Differential cryptanalysis -> technique for attacking any block cipher, stream ciphers and cryptographic hash functions. How differences in an input can affect the resultant difference at the output. • DES can be successfully broken with an effort on the order of 2^47 chosen plaintexts. • Linear cryptanalysis -> works by XORing certain bits in the plaintext and ciphertext together. • It can break DES in only 2^43 known plaintexts • Electrical power consumtion (3 volts for 1 and 0 for 0)-> very powerful • Timing analysis - if, else -> different timing

  15. Public-Key Algorithms • Based on the computational complexity of number theory • Encryption (public) key is different from the decryption(private) key. One cannot be forged by the other but one is inverse of the other. • Diffie-Hellman key exchange protocol -> the first to show that public-key cryptography was possible

  16. Public-Key Algorithms - RSA(Rivest, Shamir, Adleman) • MIT 1978 • It has survived ALL ATTEMPTS to break it. • One big disadvantage -> quite slow (at least 1024 bit keys) • Widely used today

  17. Public-Key Algorithms - RSA(Rivest, Shamir, Adleman) • Summary: • Choose to large prime numbers p and q such that p != q, randomly and independently from each other • compute n = p*q • compute the totient Ф(n) = (p-1)(q-1) • Choose an integer e such that 1 < e < Ф(n), which is comprime to Ф(n) • Compute d such that de = 1 mod Ф(n).

  18. Public-Key Algorithms - RSA(Rivest, Shamir, Adleman) • Summary: • Public key consists of n and e • Private key consists of n and d • Example: • p = 61 — first prime number (to be kept secret or deleted securely) • q = 53 — second prime number (to be kept secret or deleted securely) • n = pq = 3233 — modulus (to be made public) • e = 17 — public exponent (to be made public) • d = 2753 — private exponent (to be kept secret) • The public key is (e, n). The private key is d. The encryption function is: • encrypt(m) = m^e mod n = m^17 mod 3233 • where m is the plaintext. The decryption function is: • decrypt(c) = c^d mod n = c^2753 mod 3233 • where c is the ciphertext. • To encrypt the plaintext value 123, we calculate • encrypt(123) = 123^17 mod 3233 = 855 • To decrypt the ciphertext value 855, we calculate • decrypt(855) = 855^2753 mod 3233 = 123

  19. Public-Key Algorithms - RSA(Rivest, Shamir, Adleman) • Security: • The RSA problem -> taking eth roots module a composite n: m^e=c mod n where (e,n) is the public key, and c is the ciphertext. • Factoring Large numbers -> As of 2005 the largest number factored b general-purpose methods was 663 bits long, using state-of-the-art distributed methods. No polunomail-time method is known so far!

  20. Digital Signatures • Symmetric-Key signatures - > requires central authority that knows everything and whom everyone trusts • Public-Key signatures -> eliminates the requirement of aa central authority

  21. Message Digest • One-way hash function • Simpler than signature • Properties: • Given P, it is easy to compute MD(P) • Given MD(P), it is effectively impossible to find P • Given P no one can find P’ such that MD(P’)=MD(P) • A change to the input of even 1 bit produces a very different output • MD5 and SHA-1

  22. IPSec • “IPsec (IP security) is a standard for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets. IPsec provides security at the network layer.” - Wikipedia [3] • Two modes: • Tunnel mode: port-to-port communications security • Transparent mode: end-to-end security • Dominant use in VPNs • Mandatory part in IPv6

  23. Firewalls • Description by Andy Tanenbaum: “Firewalls are just a modern adaptation of that old medieval security standby: digging a deep moat around your castle. This design forced everyone entering or leaving the castle to passover a single drawbridge, where they could be inspected by the I/O police.” [4] • Network layer firewalls do not allow packets to pass through unless they match the rules. These rules are defined by the administrator, or build-in ones are used • Application layer firewalls may stop all packets coming from or to an application (browser, ftp, mail) • Proxies may act as firewall • NAT -> Network Address Translation -> multiple hosts behind a single IP

  24. VPN - Virtual Private Network • A overlay network on top of a public network with the properties of a private network. • Based on virtual circuits • Used to connect remote sites of a company • Secure VPN protocols include: • IPsec • SSL (OpenVPN, tun/tap) • PPTP(M$)

  25. Wireless Security • WEP (Wired Equivalent Privacy) - Stream cipher based on the RC4 algorithm • 64bit WEP uses 40 bit key plus 24bit initialization vector forming RC4 traffic key. • After US Gov. restrictions were lifted, 128bit web with 104bit key size was introduced • Average break time 3 min • WPA and WPA2 (Wi-Fi Protected Access) • 128-bit key and 48-bit IV plus Temporal Key Integrity Protocol • Personal -> pre-shared key • Enterprise -> 802.11X authentication • Requires strong password for Personal

  26. Kerberos • Authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner • Builds on symmetric-key cryptography and requires trusted third party • Uses: OpenSSH, NFS, PAM, SOKS, Apache, Devicot IMAP3 and POP3 server and others

  27. Kerberos • Outline: • Client and three servers(Authentication server, ticket-granting server and required service server) • client sends name to AS • AS sends session key and ticket to client encrypted with client’s secret key(ask for pwd and rm from system) • Client decrypts session and ticket and sends to TGS, encrypted with TGS’ secret key asking for ticket with SS • TGS returns two versions of the session key for client and SS, one encrypted with Client’s secret key and the other encrypted with SS’ secret key. • Now Client and SS can talk • If Client wants to talk to another SS, he sends a new ticket request directly to TGS

  28. PGP - Pretty Good Privacy • PGP provides cryptographic privacy, compression and authentication • Uses both public-key and symmetric-key cryptography • Outline: • PGP generates MD5 of the message and encrypts the result with sender’s private RSA key • Encrypted hash and message are concatenated and compressed. • An IDEA message key is generated and used to encrypt the compressed with IDEA in cipher feedback mode • Also the key is encrypted with the recipient's public key. • Both are concatenated and converted to base64 and sent. • The recipient reverses base64, decrypts the IDEA with his private key, deripts the archive, extracts, and decrypts the hash using senders public key, than generates a new hash and compares both.

  29. PGP - Pretty Good Privacy • Supported RSA lengths: • 1. Casual(384 bits): can be broken easily today. • 2. Commercial(512 bits): breakable by three-letter organizations • 3. Military ( 1024 bits): Not breakable by anyone on earth • 4. Alien (2048 bits): Not breakable by anyone on other planets, either • Many public key servers are available

  30. SSL - Secure Sockets Layer/Transport Layer Security (TLS) • SSL exchanges records; each record can be optionally compressed, encrypted and packed with message authentication code. It also contains content_type field that specifies which upper layer protocol is being used. • Phases: • Peer negotiation for algorithm support • Public key encryption-based key exchange and certificate-based authentication • Symmetric cipher-based traffic encryption • Supported protocols: • RSA, Diffie-Hellman, DSA, Fortezza, RC2, RC4, IDEA, DES, 3DES, AES, MD5, SHA • SSL runs on layers beneath application protocols (HTML,SMTP,NNTP) and above the TCP transport protocol, which forms part of the TCP/IP protocol suite. • It can add security to any protocol that uses reliable connections.

  31. GnuPG • GnuPG - Complete implementation of the OpenPGP Internet standard • 'GnuPG' currently supports ElGamal (signature and encrytion), DSA, AES, 3DES. Blowfish, Twofish, CASTS, MD5, SHA-1, RIPE-MD-160 and TIGER, and has language support for sixteen different languages. • http://eudoragpg.sourceforge.net/ver2.0/en/download/index.html -> Eudora plugin • http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html -> Apple Mail • http://enigmail.mozdev.org/download.html -> Mozilla, General Windows GnuPG

  32. References • [1] http://en.wikipedia.org/wiki/Cryptography • [2] http://en.wikipedia.org/wiki/Symmetric_key_algorithm • [3] http://en.wikipedia.org/wiki/IPsec • [4] Andrew Tanenbaum, “Computer Networks 4th Edition”,CH8,

More Related