Conventional Encryption and End-to-End Security: Insights and Vulnerabilities

CONFIDENTIALY USING CONVENTIONAL ENCRYPTION– Chapter 7 • Historically – Conventional Encryption • Recently – Authentication, Integrity, Signature, Public-key • Link • End-to-End • Traffic-Analysis • Key Distribution • Random Number Generation

Points of Vulnerability

Link / End-to-End

Confidentiality • Link • - both ends of link • - many encryps / decryps - all links use it • - decrypt at packet switch (read addr.) • - unique key / node pair • End- to-End • - only at ends • - data encrypted, not address (header) • - one key pair • - traffic pattern insecure • - authentication from sender

Characteristics of Link and End-to-End Table 7.1

Both Link and End-to-End • - Data secure at nodes • - Authentication • LINK – low level (physical/link) • END-TO-END – network (X.25) •  End0 •  End1 (ends separately •  End2 protected) • Cannot service internet traffic

Front-End Processor Function

E-mail Gateway

E-mail Gateway • OSI  email gateway  TCP • no end-to-end protocol below appl. layer • networks terminate at mail gateway • mail gateway sets up new transport/network • connections • need end-to-end encryp. at appl. Layer • - disadvantage: many keys

Various Encryption Strategies

Identities • Message Frequency • Message Pattern • Event Correlation • Covert Channel • Link • Headers encrypted • Traffic padding (Fig 7.6) • End-to-End • Pad data • Null messages Traffic Confidentiality

Traffic Padding

Physically deliver • Third party physically select/deliver • EKold(Knew) → • 4. End-to-End(KDC): • A EKA(Knew) C EKB(Knew)B • N hosts → (N)choose(2) keys – Fig 7.7 • KDC – Key hierarchy – Fig 7.8 • Session Key – temporary : end ↔ end • Only N master keys – physical delivery KEY DISTRIBUTION

#End-to-End Keys

Key Hierarchy

KEY DISTRIBUTION SCENARIO

User shares Master Key with KDC Steps 1-3 : Key Distribution Steps 3,4,5 : Authentication KEY DISTRIBUTION

Key Distribution Centre (KDC) Hierarchy LOCAL KDCs KDCX KDCA KDCB A B Key selected by KDCA, KDCB, or KDCX

LIFETIME Shorter Lifetime → Highter Security → Reduced Capacity Connection-oriented: - change session key periodically Connectionless: - new key every exchange or #transactions or after time period

Key Distribution (connection-oriented) End-to-End (X.25,TCP), FEP obtains session keys

Decentralised Key Control Not practical for large networks - avoids trusted third party

KEY USAGE key types : Data, PIN, File key tags : Session/Master/Encryp/Decryp Control Vector: associate session key with control vector (Fig 7.12)

Control Vector Encryp. and Decryp.

PRNG From Counter

ANSI X9.17 PRNG

Linear Congruential Generator • Xn+1 = (aXn + c) mod m • Encryption : DES (OFB) – (Fig 7.14) • Blum Blum Shub (BBS) • X0 = s2 mod n • for i = 1 to infinity • Xi = (Xi-1)2 mod n • Bi = Xi mod 2 Random Number Generation

Conventional Encryption and End-to-End Security: Insights and Vulnerabilities

Conventional Encryption and End-to-End Security: Insights and Vulnerabilities

Presentation Transcript

Oracle Data Encryption

Network Security Essentials Chapter 2 Symmetric Encryption and message confidentiality

Cryptography and Network Security Chapter 2 Classical Encryption Techniques

Chapter 2 Basic Encryption and Decryption

Chapter 2 (E) – Confidentiality Using Symmetric Encryption

Encryption and Firewalls

Chapter 19 Conventional Energy

Chapter 2 Basic Encryption and Decryption (part B)

Conventional Cryptography (Symmetric Ciphers)

Chapter 9

Chapter-2

Chapter 2

Chapter 20

ENCRYPTION

Chapter 2 Basic Encryption and Decryption

CLASSICAL ENCRYPTION TECHNIQUES

CPSC 3730 Cryptography

CONFIDENTIALY USING CONVENTIONAL ENCRYPTION – Chapter 7

Chapter 3