1 / 23

CISC 370 - Class Today

CISC 370 - Class Today. Final Lab is Ready! Returning Homework: Ch 12, 13 Finishing up network security: crypto protocols Saving the Net. Homework, Labs. Final Lab is Ready Print the Lab Sheet and fill it in Noisy Hub – plug it in at start, unplug it at end

lei
Download Presentation

CISC 370 - Class Today

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CISC 370 - Class Today • Final Lab is Ready! • Returning Homework: Ch 12, 13 • Finishing up network security: crypto protocols • Saving the Net R. Smith - University of St Thomas - Minnesota

  2. Homework, Labs • Final Lab is Ready • Print the Lab Sheet and fill it in • Noisy Hub – plug it in at start, unplug it at end • Some are missing recent homeworks • This really trashes your grade • I will give partial credit if you hand in A7 or later assignments • This won’t move you from a C to an A, but it will improve things R. Smith - University of St Thomas - Minnesota

  3. Homework Problems • 12.3 – talked about it in class • “official answer” has “ACK” delay (?) – weird on circuits • Only looks at the ‘interesting’ case of DGs vs Circuits • 12.4 • 1 phone call every 30 minutes; 6 minutes per call • Average: one phone uses 3 minutes of every hour = 0.05 • 20 phones use 1 “channel’s” worth of bandwidth • If 10% is long distance, 1 channel supports 200 phones • # channels = ceil(1Mhz / 3400 hz) = 295 • Total phones = 295 * 200 = 59,000 • 12.5 – ignores call setup delay R. Smith - University of St Thomas - Minnesota

  4. Chapter 13 • 13.4 • A. N = X / ceil(X / L) * (L + H); optimally L / (L + H) • ATM: L=48, H=5, Nopt = .91 • B. N = X / (X + H + Hv) • C. Sawtooth curve for N fixed; N variable carries whole message • Wanted to see points plotted • 13.5 • A. L / (L+H) • B. D = 8L / R (8 bits per byte) R. Smith - University of St Thomas - Minnesota

  5. Network Encryption Application • We get different results by putting cryptography in different places in the protocol architecture TCP/UDP Layer Protocol Stack IP Layer Link Layer Device Driver R. Smith - University of St Thomas - Minnesota

  6. The Encryption Process • Convert plaintext to ciphertext with a key R. Smith - University of St Thomas - Minnesota

  7. Cryptanalysis • Known ciphertext attack • a.k.a. ciphertext-only attack – classic attack • Newspaper cryptograms • You have ciphertext, no plaintext • Known plaintext attack • You have some plaintext for some intercepted ciphertext • The attack used against ENIGMA to reduce the problem R. Smith - University of St Thomas - Minnesota

  8. Security and the Protocol Stack PGP Classic layer-oriented examples of crypto protocols • Application: PGP • encrypts application data • Trans->App: SSL • encrypts the connection • IP Layer: IPSEC • encrypts routable packets • Link Layer: WEP/WPA • encrypts LAN packets Application SSL TCP/UDP Layer IPSEC Protocol Stack IP Layer Link Layer Device Driver WEP/WPA R. Smith - University of St Thomas - Minnesota

  9. How Crypto works in the stack • “Above” a crypto layer • Data is assumed to be in plaintext form • “At” a crypto layer • We convert between plaintext and ciphertext • We have access to some keys • We generate some plaintext headers • Some header info may be encrypted or protected otherwise • “Below” the crypto layer • New network headers are added in plaintext R. Smith - University of St Thomas - Minnesota

  10. How it works Geographically • Application layer encryption • “End to end security” – routable, and inaccessible to others • Defeats intermediate virus scans, intrusion detection • Applied at the discretion of the end user (usually) • Socket layer encryption • Application-application security – similar to application layer • Often applied automatically under control of the server • Sometimes it is a user-level option • IPSEC – IP Security Protocols • Internet layer security – protects routable packets, per-packet • Protects all Internet application traffic equally • Often a substitute for inter-site leased lines R. Smith - University of St Thomas - Minnesota

  11. IP Security Protocol – IPSEC • Security protection that’s IP routable • We authenticate the IP addresses • We encrypt everything inside the IP header R. Smith - University of St Thomas - Minnesota

  12. Separate Headers • AH – Authentication Header • Keeps the packet intact • ESP – Encapsulating Security Payload • A ‘generic’ security format, originally just for encryption • Now does both encryption and authentication R. Smith - University of St Thomas - Minnesota

  13. Authentication Header – ‘AH’ • Protects unchanging bits of the IP header • “SPI” – Security Parameter Index • Identifies the keying and hash algorithm to use R. Smith - University of St Thomas - Minnesota

  14. Modern style, including integrity protection Internal format still depends on the crypto used SPI picks the crypto format; the format determines variables Main problem: how long is the integrity check? May be length = 0, especially if the crypto does it already Encapsulating Security Payload- ESP R. Smith - University of St Thomas - Minnesota

  15. Secret Key Management • Two elements • How do you assign individual keys • How do you update keys • Assignment – how many keys do we need? • “One Big Cryptonet” • Pairwise user-user • Pairwise user-server (“key distribution center) • Updating – given the assignment strategies • Manual • Automatic R. Smith - University of St Thomas - Minnesota

  16. Automatic key updating • How do we get the new key? • Internal update • use a ‘pseudo random number generator’ • “Forward secrecy” problem • Random update • Use a new, randomly generated key • Share with the cryptonet • How do we transmit random keys? • Chained update • Send it using the existing crypto key • “Forward secrecy” problem • KEK-based update • Use a separate “key encrypting key” • Data is only sent with “data keys” or “session keys” • Only use KEK to send newly generated session R. Smith - University of St Thomas - Minnesota

  17. Key Distribution Center (KDC) • Each user has a unique personal key • Contacts KDC to get a session key • KDC sends keys encrypted with users’ personal keys • Example • Bob wants to talk to Alice • Bob contacts KDC, says “I want to talk to Alice” • KDC sends two copies of the session key • One encrypted with Bob’s personal key • One encrypted with Alice’s personal key • This is the basis of Kerberos • Encrypted keys are called “tickets” R. Smith - University of St Thomas - Minnesota

  18. Private Key Public Key Cipher Text Clear Text Decryption Procedure Clear Text Encryption Procedure Public Key Encryption • Uses a pair of keys: the Private Key and the Public Key • Usually, one key of the pair decrypts what the other key encrypts, and vice versa • “Asymmetric Encryption” R. Smith - University of St Thomas - Minnesota

  19. Public Key Protocols/Applications • IPSEC: used for key exchange • “Diffie Hellman” public key technique • Produce temporary public/private keys • Use the security to set up IPSEC security associations (SPIs) • SSL: protects Web, FTP, e-mail, shell (SSH).. • Usually RSA public key technique • Uses a web server’s public key to set up a shared secret • Uses regular crypto to protect the actual data transfers • PGP, PEM, S/MIME: protect files and e-mail • Usually RSA public key technique • Encrypt a file with regular (symmetric) crypto • Encrypt the key with recipients’ public keys • “Sign” the message with author’s private key R. Smith - University of St Thomas - Minnesota

  20. “Saving the Net” • Caveats • There’s particular rhetorical stuff going on • This commentary reflects a whole set of attitudes and, well, prejudices that are common in Internet engineering circles R. Smith - University of St Thomas - Minnesota

  21. “Saving the Net” • Whose ‘side’ is the author on? • What is Scenario #1? • Who wins? • What is Scenario #2? • Who is harmed by ‘bypass’ traffic? • What is Scenario #3? • What is this ‘war’ between pipes, place, and publishing? R. Smith - University of St Thomas - Minnesota

  22. Other Concepts • “Unregulated” versus “Unrestricted” • Net Neutrality • Convergence • Public vs private ownership • Regulated monopoly vs something else • Internet as ‘place’ vs ‘carrier’ R. Smith - University of St Thomas - Minnesota

  23. Creative Commons License This work is licensed under the Creative Commons Attribution-Share Alike 3.0 United States License. To view a copy of this license, visit http://creativecommons.org/licenses/by-sa/3.0/us/ or send a letter to Creative Commons, 171 Second Street, Suite 300, San Francisco, California, 94105, USA. R. Smith - University of St Thomas - Minnesota

More Related