- By
**liuz** - Follow User

- 149 Views
- Uploaded on

Download Presentation
## Network Security

**An Image/Link below is provided (as is) to download presentation**

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript

Overview

- Security services
- Security threats
- Encryption
- Conventional encryption
- Conventional encryption algorithms
- Public key encryption
- Public key encryption algorithms
- Message authentication
- IPv4 and IPv6 security

Security Services

- Confidentiality
- Integrity
- Authentication
- Access control
- Non-repudiation
- Availability

Security threats

Information source

Information destination

a) Normal flow

b) Interruption

c) Interception

d) Modification

e) Fabrication

Security threats

- Interruption – attack on availability
- Interception – attack on confidentiality
- Modification – attack on integrity
- Fabrication – attack on authenticity

Security threats

- Passive attacks – eavesdropping on or monitoring of transmissions
- Release of message contents
- Traffic analysis
- Active attacks – modification of the data stream or creation of a false stream
- Masquerade
- Replay
- Modification of message
- Denial of service

Encryption

Encryption = the tool used for network and communication security

It protects against passive attacks

Types:

- Conventional encryption
- Public-key encryption
- Hybrid of the precedent ones

Conventional Encryption

- Two parties share a single encryption/decryption key

Encryption algorithm

(e.g. DES)

Transmitted

ciphertext

Decryption algorithm

Plaintext input

Plaintext output

Secret key

Secret key

Conventional encryption

- Approaches to attacking a conventional encryption scheme:
- Cryptanalysis – relies on the nature of the algorithms and some plaintext-ciphertext pairs
- Brute-force attacks – try every possible key

Time for key search

Time required at

1 encryption/sec

Time required at

106 encryptions/sec

Key size

(bits)

Number of

alternative keys

32 232 = 4.3x109 231 sec = 35.8 mins 2.15 millisecs

56 256 = 7.2x1016 1142 years 10.01 hours

128 3.4x1038 5.4x1024 years 5.4x1018 years

Conventional encryption algorithms

- Block ciphers – process the plaintext input in fixed-size blocks and produce a block of ciphertext of equal size for each plaintext block
- It is symmetric
- DES (Data encryption standard)
- DEA (Data encryption algorithm)
- TDEA (Triple data encryption algorithm)
- AES (Advanced encryption standard)

DEA

- DES was developed by NIST
- DEA key size is 56 bits and the blocks are of 64 bits
- Since 1977, every 5 years, NIST approved DES for use
- In 1997, NIST solicited a new secret key algorithm called Advanced Encryption Standard (it uses 128-bit block size and a key length of minimum 128 bits)
- In 1998 EFF (Electronic Frontier Foundation) announced that it had broken DES
- In October 2000, successor to DES was selected and it was called Rijndael
- Double and triple DES is also common
- Triple DEA uses 3 keys and 3 executions of DEA:
- C = Ek3[Dk2[Ek1[P]]]
- Its key length is of 168 bits

Location of encryption devices

- Link encryption
- Decrypt each packet at every switch
- End-to-end encryption
- the source encrypts and the destination decrypts
- Hybrid
- Both link and end-to-end are needed
- High security

Key distribution

For encryption to work over a network, the two

parties (sender and receiver) must exchange and

share the same keys, while protecting access to the

keys from others.

- A key could be selected by A and physically distributed to B
- A third party could select the key and physically deliver it to A and B.
- If A and B have previously and recently used a key, one party could transmit the new key to the other, encrypted using the old key
- If A and B could have an encrypted connection to a third party C, C could deliver a key on the encrypted link to A and B

Public key encryption

- Public key algorithms are based on mathematical function rather than on simple operations on bit patterns
- Public key cryptography is asymmetric, involving the use of two separate keys
- The key ingredients are similar to that of conventional secret key algorithms, except that there are two keys – a public key and a private key used as input to the encryption and the decryption algorithm

Public key encryption

Encryption algorithm

(e.g. RSA)

Transmitted

ciphertext

Decryption algorithm

Plaintext input

Plaintext output

Destination’s public key

Destination’s private key

Public key encryption

- Steps:
- Generation of a pair of keys to be used for encryption and decryption of message
- Placing one of the keys in a public register and maintaining a collection of public keys from the other users
- Encrypting the message with the destination’s public key
- When the destination receives the message, it decrypts it with the private key

Digital signature

Encryption algorithm

(e.g. RSA)

Transmitted

ciphertext

Decryption algorithm

Plaintext input

Plaintext output

Source’s private key

Source’s public key

Safe from alteration but not safe from eavesdropping

Public key encryption algorithms

- RSA – invented in 1973 by three MIT professors
- In contrast to DES, RSA uses sophisticated mathematics instead of simple manipulation and substitution
- Mostly 1024 bit keys are used
- Public key encryption and decryption using RSA is 1000 times slower than secret key methods using DES
- DSA (Digital signature algorithm) – used for digital signatures
- DSA was proposed by NIST

Hybrid of Conventional and Public key encryption

- A encrypts the message using conventional encryption with a one-time conventional session key
- A encrypts the session key using public key encryption with B’s public key
- Attach the encrypted session key to the message and send it to B

Message Authentication and Hash function

- It protects against active attacks
- It proves that the message has not been altered and that the source is authentic
- MAC (Message Authentication Code)

K

M

M

M

MAC algo

K

Compare

MAC algo

MAC

One-way Hash Function

- It accepts a variable-size message M as input and produces a fixed-size message digest H(M) as output
- H(M) is sent with the message
- It does not take a secret key as input
- The message digest can be encrypted using
- Conventional encryption
- Public-key encryption
- Secret value

Secure Hash Function

- Requirements:
- H can be applied to a block of data of any size
- H produces a fixed-length output
- H(x) is easy to compute for every x
- For any given code h, it is computationally infeasible to find x such that H(x)=h
- For any given block x, it is computationally infeasible to find y!=x with H(y)=H(x)
- It is computationally infeasible to find any pair (x,y) s.t. H(x)=H(y)
- One of the most important hash function is SHA-1 (every bit of the hash code is a function of every bit in the input)

IPv4 and IPv6 security

- Need to secure the network infrastructure against unauthorized monitoring and control of network traffic and the need to secure end-user-to-end-user traffic using authentication and encryption mechanisms
- In response, IAB included authentication and encryption as necessary security features in IPv6
- IPSec provides the capability to secure communication across a LAN, across private and public WANs and across the Internet
- The principal feature of IPSec: it can encrypt and/or authenticate all traffic at the IP level

IPv4 and IPv6 security

- IPSec’s main facilities:
- AH (Authentication Header) – an authentication-only function
- Provides support for data integrity and authentication of IP packets
- ESP (Encapsulating Security Payload) – a combined authentication/encryption function
- Provides confidentiality services, including confidentiality of message contents and limited traffic flow confidentiality
- A key exchange function
- Manual key management
- Automated key management

Security association

- It is a one-way relationship between a sender and a receiver that affords security services to the traffic carried on it
- It can be identified by:
- SPI (Security parameters index)
- IP destination address: only unicast addresses are allowed
- Security protocol identifier: AH or ESP SA

IPv4 and IPv6 security

- AH and ESP support two modes of use:
- Transport mode
- Provides protection primarily for upper-layer protocols
- Provides protection to the payload of an IP packet
- Typically used for end-to-end communication between hosts
- Tunnel mode
- Provides protection to the entire IP packet
- Used when one or both ends of an SA is a security gateway, such as a firewall or router that implements IPSec

Download Presentation

Connecting to Server..