1 / 38

Network Security

Understand principles of network security: Cryptography and its many uses beyond “confidentiality”. Authentication. Message integrity Non-repudiation Key distribution. Security in practice: Firewalls

kerry
Download Presentation

Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Understand principles of network security: Cryptography and its many uses beyond “confidentiality”. Authentication. Message integrity Non-repudiation Key distribution. Security in practice: Firewalls Security and protocols in application, transport, network, and link layers (NAT, IPSec, SSL, Kerberos, etc) Network Security

  2. Security in network layers

  3. Packet sniffing: To gain access to cleartext network data and passwords Impersonation: To gain unauthorized access to data or to create unauthorized e-mails by impersonating an authorized entity Denial-of-service: To render network resources non-functional Replay of messages: To gain access to information and change it in transit Guessing of keys: To gain access to encrypted data and passwords (brute-force attack) Port scanning: To discover potential available attack points Common Security Attacks

  4. What is Network Security? Confidentiality: only sender, intended receiver should “understand” message contents Authentication: sender, receiver want to confirm identity of each other Message Integrity: sender, receiver want to ensure message not altered without detection Non-Repudiation: being able to prove that the sender did send the message

  5. A Security Example: Alice, Bob, Trudy • Alice and Bob want to communicate “securely”. • Trudy (intruder) may intercept, delete, add messages, and so on to disrupt their communications.

  6. Who Might Alice and Bob Be? • Users • Web browser/server for electronic transactions (e.g., on-line purchases) • On-line banking client/server • DNS servers • Routers exchanging routing table updates

  7. Cryptography Definitions • Encryption is a process by which a message (called plaintext) is transformed into another message (called ciphertext) using a mathematical function and a special encryption password (called a key). • Decryption is the reverse process

  8. K K A B Cryptography Definitions Alice’s encryption key Bob’s decryption key encryption algorithm decryption algorithm ciphertext plaintext plaintext

  9. Symmetric (Secret) Key Cryptography • Same key decrypts and encrypts information. • The encryption functions used need not be secret, but the keys used must be secret • Sender and receiver must agree on the key before secured communication starts • The encryption and decryption functions used can be the same or different.

  10. K K A-B A-B K (m) m = K ( ) A-B A-B Symmetric Key Cryptography: Key Issues Symmetric key cryptography: Bob and Alice share the same (symmetric) key: K • Question: How is the agreed upon key distributed to both Bob and Alice in a secure fashion? encryption algorithm decryption algorithm ciphertext plaintext plaintext message, m K (m) A-B

  11. Symmetric Key Cryptography: DES DES: Data Encryption Standard • US encryption standard • 56-bit symmetric key, 64-bit plaintext input AES: Advanced Encryption Standard • Newer (November 2001) symmetric key replacing DES. • 128, 192, or 256 bit keys, 128-bit plaintext input • Brute force decryption (trying each key) would take 1 second on DES, but would take 149 trillion years for AES. IDEA: International Data Encryption Algorithm • 64-bit input, 128-bit keys • Stronger, more efficient than DES.

  12. Public Key Cryptography Symmetric key cryptography • Requires both the sender and receiver to know the shared secret key. • Question: how do they agree on the key in the first place (particularly if they have never “met”)? Public key cryptography • Sender and receiver do not share secret key. • Public encryption key known to all. • Private decryption key known only by the owner.

  13. Public (Assymetric) Key Cryptography • Keys are generated in pairs. • Public key is publicly registered so everyone knows it, and private one is kept secret by the owner. • Each key can decrypt what the other encrypts, but not what it encrypts itself. Important properties of key generation: • There is a one-to-one correspondence in the generated key pairs – if one key can decrypt a message, it must have been encrypted by the other. • It must be extremely difficult, if not impossible, to deduce the private key when given a public key.

  14. + K (m) B - + m = K (K (m)) B B Public Key Cryptography + Bob’s public key K B - Bob’s private key K B encryption algorithm decryption algorithm plaintext message plaintext message, m ciphertext

  15. Public Key Encryption Algorithms • Diffie-Hellman: the first public key approach proposed. • RSA: the best known public key system, developed by Rivest, Shamir, and Adleman (hence RSA). • DSA: Digital Signature Algorithm, developed by the U.S. National Security Agency (NSA).

  16. Symmetric vs. Public Key Cryptography Which method provides stronger security? Which method is more convenient? Which method performs better? • Ideally, we would like to combine the strengths of symmetric and public key cryptography, and avoid their weaknesses: We want the efficiency of symmetric cryptography combined with the ease of use and convenience of public key cryptography.

  17. Hybrid Secret-Public Key Cryptography • When two parties want to communicate securely, public key cryptography is used to exchange a random symmetric session key. • To communicate, symmetric cryptography is used with the session key. • When done, both parties destroy the session key.

  18. Hash functions/Message Digests • Message digest is a special kind of checksum produced using cryptographic means. • Typically produced from a one-way hash function that is difficult to reverse or predict. • This function takes the entire input and reduces it to a small value of fixed length, typically 128 to 512 bits in length. • Must be collision-resistant: must be difficult for 2 messages to produce the same digest • Encrypted hash (MAC) is used to ensure authentication and integrity

  19. MD5 hash function widely used SHA-1 is also used. Issues in both MD5 and SHA-1 have been found in recent years though These algorithms are now being phased out morequickly in favour of other, newer approaches like SHA-2. Message Digests: Hash Function Algorithms

  20. Authentication and Integrity • Authentication is the process of proving one’s identity to someone else. • There are three main ways of authenticatingan individual: • Something you know • Something you own • Something you are • Message integrity: ensuring that a message not altered without detection.

  21. We would like to have a cryptographic technique analogous to hand-written signatures. This digital signature is verifiable and not forgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed the document. Hash encrypted by a private key is a digital signature that is then attached to the original message By signing only the digest, we have the same level of security, as the digest is tied to the message, with less encryption and decryption overhead. Digital Signatures

  22. Signed Message Digests as Digital Signatures H: Hash function large message m - digital signature (encrypt) K B encrypted msg digest + - KB(H(m)) Bob sends digitally signed message: H(m) Bob’s private key

  23. Signed Message Digests as Digital Signatures H: Hash function H: Hash function large message m large message m + - digital signature (decrypt) digital signature (encrypt) K K B B encrypted msg digest encrypted msg digest + - - KB(H(m)) KB(H(m)) H(m) H(m) Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: H(m) Bob’s private key Bob’s public key equal ?

  24. Certification Authorities • With public key cryptography there’s a danger of a “man-in-the-middle attacks” • How do we make sure that a particular public key belongs to a certain entity? • How can we avoid impersonation? • The International Telecommunication Union (ITU) specifies an authentication service and specific syntax for certificates in X.509.

  25. + + digital signature (encrypt) K K B B K CA Certification Authorities • Certification Authority (CA): binds a public key to particular entity, E. • E (person, router) registers its public key with CA. • E provides “proof of identity” to CA. • CA creates certificate binding E to its public key. • Certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” Bob’s public key CA private key certificate for Bob’s public key, signed by CA - Bob’s identifying information

  26. + + digital signature (decrypt) K K B B K CA Certification Authorities • When Alice wants Bob’s public key: • Gets Bob’s certificate (Bob or elsewhere). • Apply CA’s public key to Bob’s certificate, get Bob’s public key. Bob’s public key CA public key +

  27. firewall Firewalls isolates an organization’s internal network from a larger external network, allowing some packets to pass, blocking others

  28. Packet Filtering Firewalls All incoming and outgoing packets are examined according to some parameters (such as source/destinations IP address and/or port number)

  29. Application Layer Gateway/Firewalls An application gateway (proxy) is an application-specific server through which all application data (inbound and outbound) must pass.

  30. Network-layer secrecy: Sending host encrypts the data in IP datagram. TCP and UDP segments; ICMP and SNMP messages. Network-layer authentication Destination host can authenticate source IP addresses. Two principle protocols: Authentication header (AH) protocol Encapsulation security payload (ESP) protocol For both AH and ESP protocols, the source and destination handshake: Create network-layer logical channel called a security association (SA). IPsec: Network Layer Security

  31. Provides source authentication, data integrity, but not confidentiality. AH header inserted between IP header, data field. IP header data (e.g., TCP, UDP segment) AH header Authentication Header (AH) Protocol

  32. Provides secrecy, host authentication, and data integrity. Packet data and the ESP trailer are encrypted. ESP trailer ESP authent. Encapsulation Security Payload (ESP) Protocol authenticated encrypted ESP header IP header TCP/UDP segment

  33. Transport layer security to any TCP-based application using SSL services. Used between Web browsers, servers for e-commerce (shttp). Security services: Server authentication. Data encryption. Client authentication (optional). Server authentication: SSL-enabled browser includes public keys for trusted CAs. Browser requests server certificate, issued by trusted CA. Browser uses CA’s public key to extract server’s public key from certificate. Secure Sockets Layer (SSL)

  34. Encrypted SSL session: Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server. Using private key, server decrypts session key. Only the browser and server know session key. All data sent into TCP socket (by client or server) encrypted with session key. SSL can be used for non-Web applications, e.g., IMAP. Client authentication can be done with client certificates which have also been issued by CAs. SSL serves as a basis for TLS protocol SSL (Continued)

  35. VPN • A virtual private network is an extension of an enterprise's private intranet across a public network such as the Internet, creating a secure private connection, through a private tunnel.

  36. Kerberos • an encryption-based security system that provides mutual authentication between the users and the servers in a network environment. • Authorization can be implemented independently from the authentication • a ticket-granting server (key distribution center) acts as a mutually trusted third party

  37. KB-KDC KX-KDC KY-KDC KZ-KDC KP-KDC KB-KDC KA-KDC KA-KDC Key Distribution Centers (KDCs) • Alice, Bob need shared symmetric key. • KDC: server shares different secret key with each registered user (many users). • Alice, Bob know own their symmetric keys, KA-KDC and KB-KDC , for communicating with KDC. KDC

  38. Key Distribution Centers (KDCs) Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other? KDC generates R1 KA-KDC(A,B) KA-KDC(R1, KB-KDC(A,R1) ) Alice knows R1 Bob knows to use R1 to communicate with Alice KB-KDC(A,R1) Alice and Bob communicate: using R1 as session key for shared symmetric encryption

More Related