network security l.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Network Security PowerPoint Presentation
Download Presentation
Network Security

Loading in 2 Seconds...

play fullscreen
1 / 32

Network Security - PowerPoint PPT Presentation


  • 579 Views
  • Uploaded on

POCS Seminar Series 2006 Network Security by Georgi Todorov Dowling College Oakdale, NY, 11769 http://mcs.dowling.edu/POCS/ Creative Commons Attribution-ShareAlike2.5 License Outline The Network Security Problem Cryptography Modern Cryptography Symmetric-Key Algorithms Cryptanalysis

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Network Security' - Leo


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
network security

POCS Seminar Series 2006

Network Security
  • by Georgi Todorov
  • Dowling College
  • Oakdale, NY, 11769
  • http://mcs.dowling.edu/POCS/

Creative Commons Attribution-ShareAlike2.5 License

outline
Outline
  • The Network Security Problem
  • Cryptography
  • Modern Cryptography
    • Symmetric-Key Algorithms
    • Cryptanalysis
    • Public-Key Algorightms

by Georgi Todorov

Creative Commons Attribution-ShareAlike2.5 License

outline3
Outline
  • Digital Signatures
  • IPSec
  • Firewalls
  • VPN
  • Wireless security

by Georgi Todorov

Creative Commons Attribution-ShareAlike2.5 License

outline4
Outline
  • Kerberos
  • PGP
  • SSL
  • Practical: GnuPG

by Georgi Todorov

Creative Commons Attribution-ShareAlike2.5 License

the network security problem
The Network Security Problem
  • Computer Networks (before) - university researchers, corporate employees.
  • Computer Networks (now) - millions use it for banking, shopping, tax returns etc.
the network security problem6
The Network Security Problem
  • Security is concerned with preventing unauthorized access or use of information or resources.
  • Reasons for security problems: for fun, for revenge, for theft
slide7
NOTE!!!
  • The biggest problems in security are caused by incompetent employees, bad security procedures, and inside attacks rather than decoding encrypted messages stolen from tapped phone lines.
cryptography
Cryptography
  • “Cryptography or cryptology is a field of mathematics and computer science concerned with information security and related issues, particularly encryption and authentication.” - Wikipedia [1]
  • The term comes from Greek and it means “secret writing”, hence cryptology -> “the study of secret writing”
  • Cryptanalysis is the study of codebreaking
modern cryptography
Modern Cryptography
  • Modern cryptography includes the following main areas of study:
    • Symmetric-key cryptography
    • Public-key cryptography
    • Cryptanalysis
    • Cryptographic primitives
    • Cryptographic protocols
symmetric key algorithm
Symmetric-key algorithm
  • “Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related cryptographic keys for both decryption and encryption.” - Wikipedia [2]
  • Two types:
    • Stream ciphers - one bit at a time
    • Block ciphers - number of bits(64) as a single unit
symmetric key algorithm11
Symmetric-key algorithm
  • Hundreds or thousands of times faster
  • Encryption functions are reversible
  • Same input produces same output
  • DES, AES
symmetric key algorithm des data encryption standard
Symmetric-key algorithm - DES (Data Encryption Standard)
  • Developed by IBM and adopted by the U.S. Government in january 1977
  • Encoding:
    • Text is divided into 64 bits
    • First stage: Permutation of the text
    • 16 rounds of processing: key(last32bits); XOR(first32bits,key(last32bits));Flip pair
    • Last stage: inverse permutation
  • Problems: too short -> 3DES (2 keys)
symmetric key algorithm aes advanced encryption standard
Symmetric-key algorithm - AES (Advanced Encryption Standard)
  • Developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen
  • Operates on a 4x4 array of bytes (or more for more than 128 bit key size). Each round of AES excluding the last one consist of four steps:
    • AddRoundKey, SubBytes, ShiftRows, MixColumns
  • For more info:http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
cryptanalysis
Cryptanalysis
  • Differential cryptanalysis -> technique for attacking any block cipher, stream ciphers and cryptographic hash functions. How differences in an input can affect the resultant difference at the output.
    • DES can be successfully broken with an effort on the order of 2^47 chosen plaintexts.
  • Linear cryptanalysis -> works by XORing certain bits in the plaintext and ciphertext together.
    • It can break DES in only 2^43 known plaintexts
  • Electrical power consumtion (3 volts for 1 and 0 for 0)-> very powerful
  • Timing analysis - if, else -> different timing
public key algorithms
Public-Key Algorithms
  • Based on the computational complexity of number theory
  • Encryption (public) key is different from the decryption(private) key. One cannot be forged by the other but one is inverse of the other.
  • Diffie-Hellman key exchange protocol -> the first to show that public-key cryptography was possible
public key algorithms rsa rivest shamir adleman
Public-Key Algorithms - RSA(Rivest, Shamir, Adleman)
  • MIT 1978
  • It has survived ALL ATTEMPTS to break it.
  • One big disadvantage -> quite slow (at least 1024 bit keys)
  • Widely used today
public key algorithms rsa rivest shamir adleman17
Public-Key Algorithms - RSA(Rivest, Shamir, Adleman)
  • Summary:
    • Choose to large prime numbers p and q such that p != q, randomly and independently from each other
    • compute n = p*q
    • compute the totient Ф(n) = (p-1)(q-1)
    • Choose an integer e such that 1 < e < Ф(n), which is comprime to Ф(n)
    • Compute d such that de = 1 mod Ф(n).
public key algorithms rsa rivest shamir adleman18
Public-Key Algorithms - RSA(Rivest, Shamir, Adleman)
  • Summary:
    • Public key consists of n and e
    • Private key consists of n and d
  • Example:
  • p = 61 — first prime number (to be kept secret or deleted securely)
  • q = 53 — second prime number (to be kept secret or deleted securely)
  • n = pq = 3233 — modulus (to be made public)
  • e = 17 — public exponent (to be made public)
  • d = 2753 — private exponent (to be kept secret)
  • The public key is (e, n). The private key is d. The encryption function is:
  • encrypt(m) = m^e mod n = m^17 mod 3233
  • where m is the plaintext. The decryption function is:
  • decrypt(c) = c^d mod n = c^2753 mod 3233
  • where c is the ciphertext.
  • To encrypt the plaintext value 123, we calculate
  • encrypt(123) = 123^17 mod 3233 = 855
  • To decrypt the ciphertext value 855, we calculate
  • decrypt(855) = 855^2753 mod 3233 = 123
public key algorithms rsa rivest shamir adleman19
Public-Key Algorithms - RSA(Rivest, Shamir, Adleman)
  • Security:
    • The RSA problem -> taking eth roots module a composite n: m^e=c mod n where (e,n) is the public key, and c is the ciphertext.
    • Factoring Large numbers -> As of 2005 the largest number factored b general-purpose methods was 663 bits long, using state-of-the-art distributed methods. No polunomail-time method is known so far!
digital signatures
Digital Signatures
  • Symmetric-Key signatures - > requires central authority that knows everything and whom everyone trusts
  • Public-Key signatures -> eliminates the requirement of aa central authority
message digest
Message Digest
  • One-way hash function
  • Simpler than signature
  • Properties:
    • Given P, it is easy to compute MD(P)
    • Given MD(P), it is effectively impossible to find P
    • Given P no one can find P’ such that MD(P’)=MD(P)
    • A change to the input of even 1 bit produces a very different output
  • MD5 and SHA-1
ipsec
IPSec
  • “IPsec (IP security) is a standard for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets. IPsec provides security at the network layer.” - Wikipedia [3]
  • Two modes:
    • Tunnel mode: port-to-port communications security
    • Transparent mode: end-to-end security
  • Dominant use in VPNs
  • Mandatory part in IPv6
firewalls
Firewalls
  • Description by Andy Tanenbaum: “Firewalls are just a modern adaptation of that old medieval security standby: digging a deep moat around your castle. This design forced everyone entering or leaving the castle to passover a single drawbridge, where they could be inspected by the I/O police.” [4]
  • Network layer firewalls do not allow packets to pass through unless they match the rules. These rules are defined by the administrator, or build-in ones are used
  • Application layer firewalls may stop all packets coming from or to an application (browser, ftp, mail)
  • Proxies may act as firewall
  • NAT -> Network Address Translation -> multiple hosts behind a single IP
vpn virtual private network
VPN - Virtual Private Network
  • A overlay network on top of a public network with the properties of a private network.
  • Based on virtual circuits
  • Used to connect remote sites of a company
  • Secure VPN protocols include:
    • IPsec
    • SSL (OpenVPN, tun/tap)
    • PPTP(M$)
wireless security
Wireless Security
  • WEP (Wired Equivalent Privacy) - Stream cipher based on the RC4 algorithm
    • 64bit WEP uses 40 bit key plus 24bit initialization vector forming RC4 traffic key.
    • After US Gov. restrictions were lifted, 128bit web with 104bit key size was introduced
    • Average break time 3 min
  • WPA and WPA2 (Wi-Fi Protected Access)
    • 128-bit key and 48-bit IV plus Temporal Key Integrity Protocol
    • Personal -> pre-shared key
    • Enterprise -> 802.11X authentication
    • Requires strong password for Personal
kerberos
Kerberos
  • Authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner
  • Builds on symmetric-key cryptography and requires trusted third party
  • Uses: OpenSSH, NFS, PAM, SOKS, Apache, Devicot IMAP3 and POP3 server and others
kerberos27
Kerberos
  • Outline:
    • Client and three servers(Authentication server, ticket-granting server and required service server)
    • client sends name to AS
    • AS sends session key and ticket to client encrypted with client’s secret key(ask for pwd and rm from system)
    • Client decrypts session and ticket and sends to TGS, encrypted with TGS’ secret key asking for ticket with SS
    • TGS returns two versions of the session key for client and SS, one encrypted with Client’s secret key and the other encrypted with SS’ secret key.
    • Now Client and SS can talk
    • If Client wants to talk to another SS, he sends a new ticket request directly to TGS
pgp pretty good privacy
PGP - Pretty Good Privacy
  • PGP provides cryptographic privacy, compression and authentication
  • Uses both public-key and symmetric-key cryptography
  • Outline:
    • PGP generates MD5 of the message and encrypts the result with sender’s private RSA key
    • Encrypted hash and message are concatenated and compressed.
    • An IDEA message key is generated and used to encrypt the compressed with IDEA in cipher feedback mode
    • Also the key is encrypted with the recipient's public key.
    • Both are concatenated and converted to base64 and sent.
    • The recipient reverses base64, decrypts the IDEA with his private key, deripts the archive, extracts, and decrypts the hash using senders public key, than generates a new hash and compares both.
pgp pretty good privacy29
PGP - Pretty Good Privacy
  • Supported RSA lengths:
  • 1. Casual(384 bits): can be broken easily today.
  • 2. Commercial(512 bits): breakable by three-letter organizations
  • 3. Military ( 1024 bits): Not breakable by anyone on earth
  • 4. Alien (2048 bits): Not breakable by anyone on other planets, either
  • Many public key servers are available
ssl secure sockets layer transport layer security tls
SSL - Secure Sockets Layer/Transport Layer Security (TLS)
  • SSL exchanges records; each record can be optionally compressed, encrypted and packed with message authentication code. It also contains content_type field that specifies which upper layer protocol is being used.
  • Phases:
    • Peer negotiation for algorithm support
    • Public key encryption-based key exchange and certificate-based authentication
    • Symmetric cipher-based traffic encryption
  • Supported protocols:
  • RSA, Diffie-Hellman, DSA, Fortezza, RC2, RC4, IDEA, DES, 3DES, AES, MD5, SHA
  • SSL runs on layers beneath application protocols (HTML,SMTP,NNTP) and above the TCP transport protocol, which forms part of the TCP/IP protocol suite.
  • It can add security to any protocol that uses reliable connections.
gnupg
GnuPG
  • GnuPG - Complete implementation of the OpenPGP Internet standard
  • 'GnuPG' currently supports ElGamal (signature and encrytion), DSA, AES, 3DES. Blowfish, Twofish, CASTS, MD5, SHA-1, RIPE-MD-160 and TIGER, and has language support for sixteen different languages.
  • http://eudoragpg.sourceforge.net/ver2.0/en/download/index.html -> Eudora plugin
  • http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html -> Apple Mail
  • http://enigmail.mozdev.org/download.html -> Mozilla, General Windows GnuPG
references
References
  • [1] http://en.wikipedia.org/wiki/Cryptography
  • [2] http://en.wikipedia.org/wiki/Symmetric_key_algorithm
  • [3] http://en.wikipedia.org/wiki/IPsec
  • [4] Andrew Tanenbaum, “Computer Networks 4th Edition”,CH8,