- By
**Leo** - Follow User

- 585 Views
- Uploaded on

Download Presentation
## Network Security

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Network Security

- by Georgi Todorov
- Dowling College
- Oakdale, NY, 11769
- http://mcs.dowling.edu/POCS/

Creative Commons Attribution-ShareAlike2.5 License

Outline

- The Network Security Problem
- Cryptography
- Modern Cryptography
- Symmetric-Key Algorithms
- Cryptanalysis
- Public-Key Algorightms

by Georgi Todorov

Creative Commons Attribution-ShareAlike2.5 License

Outline

- Digital Signatures
- IPSec
- Firewalls
- VPN
- Wireless security

by Georgi Todorov

Creative Commons Attribution-ShareAlike2.5 License

Outline

- Kerberos
- PGP
- SSL
- Practical: GnuPG

by Georgi Todorov

Creative Commons Attribution-ShareAlike2.5 License

The Network Security Problem

- Computer Networks (before) - university researchers, corporate employees.
- Computer Networks (now) - millions use it for banking, shopping, tax returns etc.

The Network Security Problem

- Security is concerned with preventing unauthorized access or use of information or resources.
- Reasons for security problems: for fun, for revenge, for theft

NOTE!!!

- The biggest problems in security are caused by incompetent employees, bad security procedures, and inside attacks rather than decoding encrypted messages stolen from tapped phone lines.

Cryptography

- “Cryptography or cryptology is a field of mathematics and computer science concerned with information security and related issues, particularly encryption and authentication.” - Wikipedia [1]
- The term comes from Greek and it means “secret writing”, hence cryptology -> “the study of secret writing”
- Cryptanalysis is the study of codebreaking

Modern Cryptography

- Modern cryptography includes the following main areas of study:
- Symmetric-key cryptography
- Public-key cryptography
- Cryptanalysis
- Cryptographic primitives
- Cryptographic protocols

Symmetric-key algorithm

- “Symmetric-key algorithms are a class of algorithms for cryptography that use trivially related cryptographic keys for both decryption and encryption.” - Wikipedia [2]
- Two types:
- Stream ciphers - one bit at a time
- Block ciphers - number of bits(64) as a single unit

Symmetric-key algorithm

- Hundreds or thousands of times faster
- Encryption functions are reversible
- Same input produces same output
- DES, AES

Symmetric-key algorithm - DES (Data Encryption Standard)

- Developed by IBM and adopted by the U.S. Government in january 1977
- Encoding:
- Text is divided into 64 bits
- First stage: Permutation of the text
- 16 rounds of processing: key(last32bits); XOR(first32bits,key(last32bits));Flip pair
- Last stage: inverse permutation
- Problems: too short -> 3DES (2 keys)

Symmetric-key algorithm - AES (Advanced Encryption Standard)

- Developed by two Belgian cryptographers, Joan Daemen and Vincent Rijmen
- Operates on a 4x4 array of bytes (or more for more than 128 bit key size). Each round of AES excluding the last one consist of four steps:
- AddRoundKey, SubBytes, ShiftRows, MixColumns
- For more info:http://en.wikipedia.org/wiki/Advanced_Encryption_Standard

Cryptanalysis

- Differential cryptanalysis -> technique for attacking any block cipher, stream ciphers and cryptographic hash functions. How differences in an input can affect the resultant difference at the output.
- DES can be successfully broken with an effort on the order of 2^47 chosen plaintexts.
- Linear cryptanalysis -> works by XORing certain bits in the plaintext and ciphertext together.
- It can break DES in only 2^43 known plaintexts
- Electrical power consumtion (3 volts for 1 and 0 for 0)-> very powerful
- Timing analysis - if, else -> different timing

Public-Key Algorithms

- Based on the computational complexity of number theory
- Encryption (public) key is different from the decryption(private) key. One cannot be forged by the other but one is inverse of the other.
- Diffie-Hellman key exchange protocol -> the first to show that public-key cryptography was possible

Public-Key Algorithms - RSA(Rivest, Shamir, Adleman)

- MIT 1978
- It has survived ALL ATTEMPTS to break it.
- One big disadvantage -> quite slow (at least 1024 bit keys)
- Widely used today

Public-Key Algorithms - RSA(Rivest, Shamir, Adleman)

- Summary:
- Choose to large prime numbers p and q such that p != q, randomly and independently from each other
- compute n = p*q
- compute the totient Ф(n) = (p-1)(q-1)
- Choose an integer e such that 1 < e < Ф(n), which is comprime to Ф(n)
- Compute d such that de = 1 mod Ф(n).

Public-Key Algorithms - RSA(Rivest, Shamir, Adleman)

- Summary:
- Public key consists of n and e
- Private key consists of n and d
- Example:
- p = 61 — first prime number (to be kept secret or deleted securely)
- q = 53 — second prime number (to be kept secret or deleted securely)
- n = pq = 3233 — modulus (to be made public)
- e = 17 — public exponent (to be made public)
- d = 2753 — private exponent (to be kept secret)
- The public key is (e, n). The private key is d. The encryption function is:
- encrypt(m) = m^e mod n = m^17 mod 3233
- where m is the plaintext. The decryption function is:
- decrypt(c) = c^d mod n = c^2753 mod 3233
- where c is the ciphertext.
- To encrypt the plaintext value 123, we calculate
- encrypt(123) = 123^17 mod 3233 = 855
- To decrypt the ciphertext value 855, we calculate
- decrypt(855) = 855^2753 mod 3233 = 123

Public-Key Algorithms - RSA(Rivest, Shamir, Adleman)

- Security:
- The RSA problem -> taking eth roots module a composite n: m^e=c mod n where (e,n) is the public key, and c is the ciphertext.
- Factoring Large numbers -> As of 2005 the largest number factored b general-purpose methods was 663 bits long, using state-of-the-art distributed methods. No polunomail-time method is known so far!

Digital Signatures

- Symmetric-Key signatures - > requires central authority that knows everything and whom everyone trusts
- Public-Key signatures -> eliminates the requirement of aa central authority

Message Digest

- One-way hash function
- Simpler than signature
- Properties:
- Given P, it is easy to compute MD(P)
- Given MD(P), it is effectively impossible to find P
- Given P no one can find P’ such that MD(P’)=MD(P)
- A change to the input of even 1 bit produces a very different output
- MD5 and SHA-1

IPSec

- “IPsec (IP security) is a standard for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets. IPsec provides security at the network layer.” - Wikipedia [3]
- Two modes:
- Tunnel mode: port-to-port communications security
- Transparent mode: end-to-end security
- Dominant use in VPNs
- Mandatory part in IPv6

Firewalls

- Description by Andy Tanenbaum: “Firewalls are just a modern adaptation of that old medieval security standby: digging a deep moat around your castle. This design forced everyone entering or leaving the castle to passover a single drawbridge, where they could be inspected by the I/O police.” [4]
- Network layer firewalls do not allow packets to pass through unless they match the rules. These rules are defined by the administrator, or build-in ones are used
- Application layer firewalls may stop all packets coming from or to an application (browser, ftp, mail)
- Proxies may act as firewall
- NAT -> Network Address Translation -> multiple hosts behind a single IP

VPN - Virtual Private Network

- A overlay network on top of a public network with the properties of a private network.
- Based on virtual circuits
- Used to connect remote sites of a company
- Secure VPN protocols include:
- IPsec
- SSL (OpenVPN, tun/tap)
- PPTP(M$)

Wireless Security

- WEP (Wired Equivalent Privacy) - Stream cipher based on the RC4 algorithm
- 64bit WEP uses 40 bit key plus 24bit initialization vector forming RC4 traffic key.
- After US Gov. restrictions were lifted, 128bit web with 104bit key size was introduced
- Average break time 3 min
- WPA and WPA2 (Wi-Fi Protected Access)
- 128-bit key and 48-bit IV plus Temporal Key Integrity Protocol
- Personal -> pre-shared key
- Enterprise -> 802.11X authentication
- Requires strong password for Personal

Kerberos

- Authentication protocol which allows individuals communicating over an insecure network to prove their identity to one another in a secure manner
- Builds on symmetric-key cryptography and requires trusted third party
- Uses: OpenSSH, NFS, PAM, SOKS, Apache, Devicot IMAP3 and POP3 server and others

Kerberos

- Outline:
- Client and three servers(Authentication server, ticket-granting server and required service server)
- client sends name to AS
- AS sends session key and ticket to client encrypted with client’s secret key(ask for pwd and rm from system)
- Client decrypts session and ticket and sends to TGS, encrypted with TGS’ secret key asking for ticket with SS
- TGS returns two versions of the session key for client and SS, one encrypted with Client’s secret key and the other encrypted with SS’ secret key.
- Now Client and SS can talk
- If Client wants to talk to another SS, he sends a new ticket request directly to TGS

PGP - Pretty Good Privacy

- PGP provides cryptographic privacy, compression and authentication
- Uses both public-key and symmetric-key cryptography
- Outline:
- PGP generates MD5 of the message and encrypts the result with sender’s private RSA key
- Encrypted hash and message are concatenated and compressed.
- An IDEA message key is generated and used to encrypt the compressed with IDEA in cipher feedback mode
- Also the key is encrypted with the recipient's public key.
- Both are concatenated and converted to base64 and sent.
- The recipient reverses base64, decrypts the IDEA with his private key, deripts the archive, extracts, and decrypts the hash using senders public key, than generates a new hash and compares both.

PGP - Pretty Good Privacy

- Supported RSA lengths:
- 1. Casual(384 bits): can be broken easily today.
- 2. Commercial(512 bits): breakable by three-letter organizations
- 3. Military ( 1024 bits): Not breakable by anyone on earth
- 4. Alien (2048 bits): Not breakable by anyone on other planets, either
- Many public key servers are available

SSL - Secure Sockets Layer/Transport Layer Security (TLS)

- SSL exchanges records; each record can be optionally compressed, encrypted and packed with message authentication code. It also contains content_type field that specifies which upper layer protocol is being used.
- Phases:
- Peer negotiation for algorithm support
- Public key encryption-based key exchange and certificate-based authentication
- Symmetric cipher-based traffic encryption
- Supported protocols:
- RSA, Diffie-Hellman, DSA, Fortezza, RC2, RC4, IDEA, DES, 3DES, AES, MD5, SHA
- SSL runs on layers beneath application protocols (HTML,SMTP,NNTP) and above the TCP transport protocol, which forms part of the TCP/IP protocol suite.
- It can add security to any protocol that uses reliable connections.

GnuPG

- GnuPG - Complete implementation of the OpenPGP Internet standard
- 'GnuPG' currently supports ElGamal (signature and encrytion), DSA, AES, 3DES. Blowfish, Twofish, CASTS, MD5, SHA-1, RIPE-MD-160 and TIGER, and has language support for sixteen different languages.
- http://eudoragpg.sourceforge.net/ver2.0/en/download/index.html -> Eudora plugin
- http://www.sente.ch/software/GPGMail/English.lproj/GPGMail.html -> Apple Mail
- http://enigmail.mozdev.org/download.html -> Mozilla, General Windows GnuPG

References

- [1] http://en.wikipedia.org/wiki/Cryptography
- [2] http://en.wikipedia.org/wiki/Symmetric_key_algorithm
- [3] http://en.wikipedia.org/wiki/IPsec
- [4] Andrew Tanenbaum, “Computer Networks 4th Edition”,CH8,

Download Presentation

Connecting to Server..