1 / 58

Chapte r 9

Chapte r 9. Security i n C ompute r N etw ork. Compiled By: Ashish Kr. Jha. 2. P roper ti e s o f Secure Commun i c a tion C o nfi d e n tia l ity/S e crecy ▫ D ata i s onl y u n d ers ta n d a b l e t o the c o mmunicating pa r ties A u thenticati o n.

toliver
Download Presentation

Chapte r 9

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter9 SecurityinComputerNetwork Compiled By: Ashish Kr. Jha

  2. 2 • PropertiesofSecureCommunication • Confidentiality/Secrecy • ▫ Dataisonlyunderstandabletothecommunicatingparties • Authentication • IntegrityandNon-repudiability • ▫ Evenifsenderandreceiverareabletoauthenticateeachother,theymustensurethatthedatareceivedisnotalteredeithermaliciouslyorbyaccident. • ▫ RefusetoAccept • Accesscontrolandavailability • ▫ Usingfirewall Compiled By: Ashish Kr. Jha

  3. 3 NetworkSecurityIssues Compiled By: Ashish Kr. Jha

  4. 4 • PrinciplesofCryptography • Techniquesemployedinprotectingintegrity orsecrecyof • electronicmessagesbyconvertingthemintounreadable(ciphertext)form. • Onlytheuseofasecretkeycanconverttheciphertextback • intohumanreadable(cleartext)form. • Cryptographysoftwareand/orhardwaredevicesusemathematicalformulas(algorithms)tochangetextfromoneformtoanother. • Twoprinciples: • ▫ SymmetricKeyCryptography(SecretKey) • ▫ AsymmetricKeyCryptography(PublicKey) Compiled By: Ashish Kr. Jha

  5. 5 • SymmetricKeyCryptographyPrinciples • Useasinglesecretkey • Theciphertexthasalmostthesamesizeastheoriginalmessage • Builtonasharedsecretorsomerandomunpredictabledata • Thestrengthmostlydependsonthekeylength • Encryptlargefilesfastandefficiently • Gobymanynames(sessionkey,singlekey,bulkencryption) Compiled By: Ashish Kr. Jha

  6. 6 SymmetricKeyCryptographyPrinciples Compiled By: Ashish Kr. Jha

  7. 7 • SymmetricKeyCryptographyPrinciples • MonoAlphabetic • PolyAlphabetic • DES,3DES • Rijndael(AESWinner) Compiled By: Ashish Kr. Jha

  8. 8 • MonoAlphabetic • CaesarCipher • ▫ Veryoldandsimplesymmetrickeyalgorithm • ▫ Takeeachalphabetin plain textandreplaceitbyletterthatis ‘’’”’‘k’ lettersahead. • Eg.Fork=5=>‘a’ isreplacedby'f’, ‘x’ by ‘c’andsoon • ▫ Veryeasytobreak=>only25valuesofKeys • Monoalphabeticcipher: • ▫ Anylettercanbesubstitutedbyotheraslingaseachletterhas • uniquesubstituteletter • Eg.Plaintext: • Ciphertext: bob.iloveyou.alice nkn.sgktcwky.mgsbc ▫ BetterthanCaesarcipherinthatthereare26!(1026)possiblepairingofletters. Compiled By: Ashish Kr. Jha

  9. 9 PolyAlphabeticcipher • Key:C1C2C2 • ▫ Then text “abcde” would be transmitted as “fuvix” Compiled By: Ashish Kr. Jha

  10. 10 • DataEncryptionStandard(DES) • DESistheblockcipher— analgorithmthattakesafixed-length • stringofplaintextbitsandtransformsitthroughaseriesof • complicatedoperationsintoanotherciphertextbitstringofthesamelength. • InthecaseofDES,theblocksizeis64bits. • • • DESalsousesakeytocustomizethetransformation,sothatdecryptioncansupposedlyonlybeperformedbythosewhoknowtheparticularkeyusedtoencrypt. • Thekeyostensiblyconsistsof64bits;however,only56oftheseare • actuallyusedbythealgorithm. • Eightbitsareusedsolelyforcheckingparity,andarethereafterdiscarded. • Hencetheeffectivekeylengthis56bits,anditisalwaysquotedas • such. • Every8thbitoftheselectedkeyisdiscarded,thatis,positions8,16,24,32,40,48,56,64areremovedfromthe64bitkeyleavingbehindonlythe56bitkey. Compiled By: Ashish Kr. Jha

  11. 11 DataEncryptionStandard(DES) Compiled By: Ashish Kr. Jha

  12. 12 • DataEncryptionStandard(DES) • Theoperationofoneoftheseintermediatestagesisillustratedin(b). • Eachstagetakestwo32-bitinputsandproducestwo32-bitoutputs. • Theleftoutputissimplyacopyoftherightinput. • TherightoutputisthebitwiseXORoftheleftinputandafunctionoftherightinputandthekeyforthisstage,Ki • Allthecomplexityliesinthisfunction. • Thefunctionconsistsoffoursteps,carriedoutinsequence. • First,a48-bitnumber,E,isconstructedbyexpandingthe32-bitRi-1 • accordingtoafixedtranspositionandduplicationrule. • Second,EandKiareXORedtogether. • Thisoutputisthenpartitionedintoeightgroupsof6bitseach,eachofwhichisfedintoadifferentS-box.Eachofthe64possibleinputstoanS-boxismappedontoa4-bitoutput. • Finally,these8x4bitsarepassedthroughaP-box.. Compiled By: Ashish Kr. Jha

  13. 13 • DataEncryptionStandard(DES) • Ineachofthe16iterations,adifferentkeyisused. • Beforethealgorithmstarts,a56-bittranspositionisappliedtothekey. • Justbeforeeachiteration,thekeyispartitionedintotwo28-bitunits,eachofwhichisrotatedleftbyanumberofbitsdependentontheiterationnumber. • Kiisderivedfromthisrotatedkeybyapplyingyetanother56-bit • transpositiontoit. • Adifferent48-bitsubsetofthe56bitsisextractedandpermutedoneachround. Compiled By: Ashish Kr. Jha

  14. 14 DataEncryptionStandard(DES) Compiled By: Ashish Kr. Jha

  15. 15 • PublicKeyEncryption • Twokeys: • ▫ publicencryptionkeye • ▫ privatedecryptionkeyd • encryptioneasywheneisknown • decryptionhardwhendisnotknown • decryptioneasywhendisknown • Themostfamousalgorithm:RSA Compiled By: Ashish Kr. Jha

  16. 16 PublicKeyEncryption Compiled By: Ashish Kr. Jha

  17. 17 RSAAlgorithm Choosetwolargeprimenumbersp,q. (e.g.,1024bitseach) Computen=pq,z=(p-1)(q-1) Choosee(withe<n)thathasnocommonfactors withz.(e,zare relativelyprimeರ). Choosedsuchthated-1isexactlydivisiblebyz. (inotherwords:edmodz=1). Publickeyis(n,e).Privatekeyis(n,d). K+B K- B Compiled By: Ashish Kr. Jha

  18. 18 RSAAlgorithm *Given(n,e)and(n,d)ascomputedabove *Toencryptbitpattern,m,compute (i.e.,remainderwhenmeisdividedbyn) c=memodn *Todecryptreceivedbitpattern,c,compute (i.e.,remainderwhencdisdividedbyn) m=cdmodn m=(memodn)dmodn c Magic happens! Compiled By: Ashish Kr. Jha

  19. 19 • RSAAlgorithm • EncryptMessage“LOVE”usingRSAAlgorithm • ▫ Letp=5,q=7(Smallernumbersareselectedforsimplicity) • ▫ Thenn=pq=5*7=35 • ▫ Andz=(p-1)(q-1)=4*6=24 • ▫ Selectinge=5(e<nandnocommonfactorwithz)andd=29(suchthat:edmodz=1) • =>PublicKey(n,e)=(35,5) • =>PrivateKey(n,d)=(35,29) Compiled By: Ashish Kr. Jha

  20. 20 RSAAlgorithm Encryption(LOVE=>QOVJ) Decryption(QOVJ=>LOVE) Compiled By: Ashish Kr. Jha

  21. 21 RSAAlgorithm AnimportantpropertyofRSAAlgorithm: - + + - K(K(m))= K(K(m)) m = B B B B useprivatekeyfirst,followedbypublickey usepublickeyfirst,followedbyprivatekey Resultisthesame! Compiled By: Ashish Kr. Jha

  22. 22 • DigitalSignature • Cryptographictechnique • signatures. analogous tohand-written establishingheis • Sender(Bob)digitallysignsdocument, • documentowner/creator. • Verifiable:recipient(Alice)canprovetosomeonethatBob,andnooneelse(includingAlice),musthavesigneddocument Compiled By: Ashish Kr. Jha

  23. 23 DigitalSignature Bobsignsmbyencryptingwithhisprivate - - keyKB,creating“signed” message,KB(m) Compiled By: Ashish Kr. Jha

  24. 24 DigitalSignature • Suppose Alice receives message m, digital signature KB-(m) • Alice verifies m signed by Bob by applying Bob’s public key KB+ to KB-(m) then checks KB+(KB-(m) ) = m. • If K+B(K-B(m) ) = m, whoever signed m must have used Bob’s private key. • Alice thus verifies that: • ü Bob signed m. (Authentication) • ü No one else signed m. • ü Bob signed m and notm’.(Message Integrity) • Non-repudiation: • Alice can take m, and signature KB(m) to court and prove that Bob signed m. Compiled By: Ashish Kr. Jha

  25. 25 • Diffie-HellmanAlgorithm • AKeyExchangeAlgorithm • Exponentialkeyagreement • Allowstwouserstoexchangeasecretkey • Requiresnopriorsecrets • Real-timeoveranun-trustednetwork • Basedonthedifficultyofcomputingdiscretelogarithmsoflargenumbers. • UsedinSSL,SSH,IPSec,Ciscoencryptingrouters,SunsecureRPCandetc. • #AliceandBobwanttoshareasecretkeyforuseinasymmetriccipher,buttheironlymeansofcommunicationisinsecure. Compiled By: Ashish Kr. Jha

  26. 26 Diffie-HellmanAlgorithm Compiled By: Ashish Kr. Jha

  27. 27 • Diffie-HellmanAlgorithm • First,usersagreeonalargeprimepandanonzerointegerg. • pandgarebothpubliclyavailablenumbers • ▫ pisatleast512bits • Userspickprivatevaluesaandb • Computepublicvalues • ▫ x=gamodp • ▫ y=gbmodp • Publicvaluesxandyareexchanged • Computeshared,privatekey • ▫ ka=yamodp • ▫ kb=xbmodp • Algebraicallyitcanbeshownthatka=kb • Usersnowhaveasymmetricsecretkeytoencrypt Compiled By: Ashish Kr. Jha

  28. 28 • Diffie-HellmanAlgorithm • AliceandBobgetpublicnumbers • ▫ P=23,G=9 • AliceandBobcomputepublicvalues • ▫ X=94mod23=6561mod23=6 • ▫ Y=93mod23=729mod23=16 • AliceandBobexchangepublicnumbers • AliceandBobcomputesymmetrickeys • ▫ ka=yamodp=164mod23=9 • ▫ kb=xbmodp=63mod23=9 • AliceandBobnowcantalksecurely! Compiled By: Ashish Kr. Jha

  29. 29 • SecuringEmailusingPrettyGoodPrivacy(PGP) • PrettyGoodPrivacy(PGP)isane-mailencryptionschemethathasbecomeade-factostandard,withthousandsofusersallovertheglobe. • Dependingontheversion,thePGPsoftwareusesMD5orSHAforcalculatingthemessagedigest;CAST,Triple-DESorIDEAforsymmetrickeyencryption;andRSAforthepublickeyencryption. • Inaddition,PGPprovidesdatacompression. • WhenPGPisinstalled,thesoftwarecreatesapublickeypairfor • theuser. • Thepublickeycanbepostedontheuser'sWebsiteorplacedinapublickeyserver. • Theprivatekeyisprotectedbytheuseofapassword.Thepasswordhastobeenteredeverytimetheuseraccessestheprivatekey. • PGPgivestheusertheoptionofdigitallysigningthemessage,encryptingthemessage,orbothdigitallysigningandencrypting. Compiled By: Ashish Kr. Jha

  30. 30 SecuringEmailusingPrettyGoodPrivacy(PGP) Compiled By: Ashish Kr. Jha

  31. 31 • SecureSocketLayer(SSL) • Securesocketslayer(SSL),originallydevelopedbyNetscape,isaprotocoldesignedtoprovidedataencryptionandauthenticationbetweenaWebclientandaWebserver. • WheneverawebsurfervisitsasecuresitethatusesSSLtechnology,itcreatesanencryptedlinkbetweentheirbrowsersessionandthewebserver • Theprotocolbeginswithahandshakephasethatnegotiatesanencryptionalgorithm(e.g.,DESorRSA)andkeys,andauthenticatestheservertotheclient. • Optionally,theclientcanalsobeauthenticatedtotheserver. • Oncethehandshakeiscompleteandthetransmissionofapplicationdatabegins,andalldataisencryptedusingsessionkeysnegotiatedduringthehandshakephase. • SSLiswidelyusedinInternetcommerce,beingimplementedinalmostallpopularbrowsersandWebservers Compiled By: Ashish Kr. Jha

  32. 32 SecureSocketLayer(SSL) Compiled By: Ashish Kr. Jha

  33. 33 • SecureSocketLayerFeatures • SSLserverauthentication: • ▫ SSL-enabledbrowsermaintainlistsoftrustedCAಬsalongwiththeirpublickeys. • ▫ Browserrequestsservercertificate,issuedbytrustedCA. • ▫ Serversenditscertificate. • ▫ BrowserusesCAಬspublickeytoextractserverಬspublickeyfromcertificate. • EncryptedSSLsession: • ▫ Browsergeneratessymmetricsessionkey,encryptsitwith • serverಬspublickey,sendsencryptedkeytoserver. • ▫ Usingprivatekey,serverdecryptssessionkey. • ▫ Browser,serverknowsessionkey • ▫ AlldatasentintoTCPsocket(byclientorserver)encryptedwith • sessionkey. • SSLclientauthentication: • ▫ Analogoustoserverauthentication Compiled By: Ashish Kr. Jha

  34. 34 NetworkLayerSecurity-VPN • Avirtualprivatenetwork(VPN)isaprivate networkthat interconnectsremote(andoftengeographically separate) • networksthroughprimarilypubliccommunicationinfrastructuressuchastheInternet. • Itenablesacomputertosendandreceivedataacrosssharedorpublicnetworksasifitisdirectlyconnectedtotheprivatenetwork. • AVPNiscreatedbyestablishingavirtualpoint-to-pointconnectionthroughtheuseofeitherdedicatedconnection,orvirtualtunnelingprotocols,ortrafficencryptions. • ThroughVPN,youcanaccessyourprivatenetworkoverinternet. • VPNsprovidesecuritythroughtunnelingprotocolsandsecurityproceduressuchasencryption.Forexample,aVPNcouldbeusedtosecurelyconnectthebranchofficesofanorganizationtoaheadofficenetworkthroughthepublicInternet. Compiled By: Ashish Kr. Jha

  35. 35 VirtualPrivateNetwork • HosttoGateway/remote-accessVPNsand • GatewaytoGateway/SitetoSiteVPN Compiled By: Ashish Kr. Jha

  36. 36 RemoteAccessVPN Compiled By: Ashish Kr. Jha

  37. 37 SitetoSiteVPN Compiled By: Ashish Kr. Jha

  38. 38 • VPN • VPNsallowemployeestosecurelyaccesstheircompany's • intranetwhiletravelingoutsidetheoffice. • Similarly,VPNssecurelyconnectgeographicallydisparate • officesofanorganization,creatingonecohesivenetwork. • VPNtechnologyisalsousedbyInternetuserstoconnecttoproxyserversforthepurposeofprotectingpersonalidentityandlocation. Compiled By: Ashish Kr. Jha

  39. 39 • IPSecurity(IPSec) • InternetProtocolSecurity (IPsec) isaprotocolsuitefor by a securingInternetauthenticatingand Protocolencrypting (IP) communications each IPpacketof • communicationsession. • IPsecusescryptographicsecurityservicestoprotectcommunicationsoverInternetProtocol(IP)networks. • IPseccanbeusedinprotectingdataflowsbetweenapairof hosts(host-to-host), betweenapairofsecuritygateways • (network-to-network),orbetweenasecuritygatewayandahost(network-to-host). • Twoprincipalprotocols • ▫ AuthenticationHeader(AH)protocoland • ▫ EncapsulationSecurityPayload(ESP)protocol Compiled By: Ashish Kr. Jha

  40. 40 • IPSecurity(IPSec) • Whenasourcehostsendssecuredatagramstoadestinationhost,itdoessowitheithertheAHprotocolorwiththeESPprotocol. • TheAHprotocolprovidessourceauthenticationanddata • integritybutdoesnotprovidesecrecy. • TheESPprotocolprovidesdataintegrityandsecrecy.Providingmoreservices,theESPprotocolisnaturallymorecomplicatedandrequiresmoreprocessingthantheAHprotocol. Compiled By: Ashish Kr. Jha

  41. 41 • IPSecelements • IPSeccontainsthefollowingelements: • EncapsulatingSecurityPayload(ESP):Providesconfidentiality,authentication,andintegrity. • AuthenticationHeader(AH):Providesauthenticationand • integrity. • InternetKeyExchange(IKE):ProvideskeymanagementandSecurityAssociation(SA)management. Compiled By: Ashish Kr. Jha

  42. 42 • IPSecSecurityFeatures • IPSecisthemostsecuremethodcommerciallyavailableforconnectingnetworksites.IPSecwasdesignedtoprovidethefollowingsecurityfeatureswhentransferringpacketsacrossnetworks: • Authentication:Verifiesthatthepacketreceivedisactuallyfromtheclaimedsender. • Integrity:Ensuresthatthecontentsofthepacketdidnot • changeintransit. • Confidentiality:Concealsthemessagecontentthroughencryption. Compiled By: Ashish Kr. Jha

  43. 43 WirelessSecurityusingWEP • The802.11standardprescribesadataprotocolcalledWEP(WiredEquivalent link-levelsecurityPrivacy),whichis • designedtomakethesecurityofawirelessLANasgoodas • thatofawiredLAN. • When802.11securityisenabled,eachstationhasasecretkeysharedwiththebasestation. • Howthekeysaredistributedisnotspecifiedbythestandard. • WEPalgorithmisusedto(WEPfeatures): ▫ Protectwirelesscommunicationfromeavesdropping (secretly listeningtotheprivateconversationofotherswithouttheirconsent) ▫ Preventunauthorizedaccesstowirelessnetwork • GoalsofWEP • 1.AccessControl 2.DataIntegrity 3.Confidentiality Compiled By: Ashish Kr. Jha

  44. 44 • WEP • WEPreliesonasecretkeywhichissharedbetweenthe • senderandthereceiver. • ▫ Sender:Mobilestation(eg:laptopwithwirelessethernet) • ▫ Receiver:AccessPoint(eg:basestation) • SecretKeyisusedtoencryptpacketsbeforetheyaretransmitted • Integritycheckisusedtoensurepacketarenotmodifiedin • transit. • WEPencryptionusesastreamcipherbasedontheRon'sCode4(RC4)algorithm.RC4wasdesignedbyRonaldRivestandkeptsecretuntilitleakedoutandwaspostedtotheInternetin1994. • InWEP,RC4generatesakeystreamthatisXORedwiththeplaintexttoformtheciphertext. Compiled By: Ashish Kr. Jha

  45. 45 WEP Compiled By: Ashish Kr. Jha

  46. 46 • WEP • WEPusesRC4encryption algorithm known 64or asಯstream cipherರtoprotectconfidentialityofitsdata • usestheRC4streamcipher, • consistingof: usinga 128-bitkey • ▫ A24-bitInitializationVector(IV) • ▫ A40or104-bitsecretkey • TheSecretKeyissharedamongthestationsandeverytime • newIVisselected • InitializationVector(IV): • ▫ Usedtoavoidencryptingtwociphertextwithsamekeystream • ▫ UsedtoproducedifferentRC4keyforeachpacket Compiled By: Ashish Kr. Jha

  47. 47 • Firewall • Afirewallisacombinationofhardwareandsoftwarethatisolatesanorganization'sinternalnetworkfromtheInternetatlarge,allowingspecificconnectionstopassandblockingothers. • Organizationsemployfirewallsforoneormoreofthefollowingreasons: • ▫ Topreventintrudersfrominterferingwiththedaily • operationoftheinternalnetwork. • denialofserviceattack,SYNFINAttack • ▫ Topreventintrudersfromdeletingormodifyinginformationstoredwithintheinternalnetwork. • ▫ Topreventintrudersfromobtainingsecretinformation. Compiled By: Ashish Kr. Jha

  48. 48 • FirewallTypes • PacketFiltering • ApplicationLevelGateway Compiled By: Ashish Kr. Jha

  49. 49 • PacketFiltering • Workatthenetworklayer. • InternalnetworkconnectedtoInternetviarouterfirewall. • Routerfilterspacket-by-packetandcomparestoasetof • criteriabeforeitisforwarded. • FilteringBasedon • ▫ Source/DestinationIPaddress. • ▫ TCPorUDPsourceanddestinationport. ▫ ICMPmessagetype. ▫ ConnectioninitializationdatagramsusingtheTCPACKbit Shouldarrivingpacketbeallowedin?Departingpacketletout? Compiled By: Ashish Kr. Jha

  50. 50 • PacketFiltering • Example1:blockincomingandoutgoingdatagramswithIPprotocolfield=17andwitheithersourceordestport=23. • ▫ AllincomingandoutgoingUDPflowsandtelnet • connectionsareblocked. • Example2:BlockinboundTCPsegmentswithACK=0. • ▫ PreventsexternalclientsfrommakingTCPconnectionswithinternalclients,butallowsinternalclientstoconnecttooutside. Compiled By: Ashish Kr. Jha

More Related