May 21, 2015

INTSEC

- 1. Internet and Intranet Protocols and Applications
- Network (Internet) Security

- Paul Christian P. Abad

2. What is network security?

- Secrecy:only sender, intended receiver should understand msg contents

- sender encrypts msg

- receiver decrypts msg

- Authentication:sender, receiver want to confirm identity of each other

- Message Integrity:sender, receiver want to ensure message not altered (in transit, or afterwards) without detection

- Non-repudiation:sender cannot claim other than what was sent

3. Internet security threats

- Packet sniffing:

- broadcast media

- promiscuous NIC reads all packets passing by

- can read all unencrypted data (e.g. passwords)

- e.g.: C sniffs Bs packets

A B C src:B dest:Apayload 4. Internet security threats

- IP Spoofing:

- can generate raw IP packets directly from application, putting any value into IP source address field

- receiver cant tell if source is spoofed

- e.g.: C pretends to be B

A B C src:Bdest:Apayload 5. Internet security threats

- Denial of service (DOS):

- flood of maliciously generated packets swamp receiver

- Distributed DOS (DDOS): multiple coordinated sources swamp receiver

- e.g., C and remote host SYN-attack A

A B C SYN SYN SYN SYN SYN SYN SYN 6. Cryptography

- Encryptionis a process applied to a bit of information that changes the informations appearance, but not its (decrypted) meaning.

- Decryptionis the reverse process.

- If C is a bit ofcipher text(encrypted data) and M is a message ( plain text )then,

- C = E k (M)andM = D k (C)

- Where E kandD kare encryption and decryption processes respectively.

- E kandD kare both based on some key k.

7. Cryptography Algorithms

- symmetric keycrypto: sender, receiver keys identical

- public-keycrypto: encrypt keypublic , decrypt keysecret

Figure 7.3 goes here plaintext plaintext ciphertext K A K B 8. Friends and enemies: Alice, Bob, Trudy

- Well-known model in network security world

- Bob, Alice want to communicate securely

- Trudy, the intruder may intercept, delete, add messages

- Sometimes Trudys friend Mallory (malicious) may appear

Figure 7.1 goes here 9. Cryptography Basics

- Symmetric KeyCryptography:

- E k= D k (and must be kept SECRET!!!)

- Public KeyCryptography:

- E kis a public key (everyone can know it)

- D kis a private key and belongs toONEentity.

- Symmetric Key Algorithms are fast

- Public Key Algorithms are SLOW!!!

10. Symmetric Key Ciphers

- Substitution:

- (a = k, b = q, )

- Transposition:

- (c1 = c12, c2 = c5, c3 = c1, )

- Composition (both substitution and transposition, such as DES)

- One-Time code pad

11. Symmetric key cryptography

- substitution cipher:substituting one thing for another

- monoalphabetic cipher: substitute one letter for another

plaintext:abcdefghijklmnopqrstuvwxyz ciphertext:mnbvcxzasdfghjklpoiuytrewq Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc E.g.: 12. DES: Data Encryption Standard

- US encryption standard [NIST 1993]

- 56-bit symmetric key, 64 bit plain-text input

- How secure is DES?

- DES Challenge: 56-bit-key-encrypted phrase( Strong cryptography makes the world a safer place ) decrypted (brute force) in 4 months

- no known backdoor decryption approach

13. Symmetric keycrypto: DES

- initial permutation

- 16 identical rounds of function application, each using different 48 bits of key

- final permutation

DES operation 14. Public key cryptography

- Figure 7.7 goes here

15. How do public key algorithms work?

- They depend on the existence of some very hard mathematical problems to solve:

- Factoring VERY large numbers (example, a number containing 1024 bits!)

- Calculating discrete logarithms

- Find x where a x b (mod n)

- By hard we mean that it will take a super computer a very long time (months or years)

16. RSA encryption algorithm

- RSAdepends on factoring large numbers.Here is the algorithm :

Need d B ( ) and e B ( ) such that Need public and private keys for d B ( ) and e B ( ) Two inter-related requirements: d(e(m))=m B B 1 2 17. RSA: Choosing keys 1.Choose two large prime numbersp, q. (e.g., 1024 bits each) 2.Computen= pq,z = (p-1)(q-1 ) 3.Choosee( witheGoal: Bob wants Alice to prove her identity to him Protocol ap1.0: Alice says I am Alice Failure scenario?? 21. Authentication: another try Protocol ap2.0: Alice says I am Alice and sends her IP address along to prove it. Failure scenario? 22. Authentication: another try Protocol ap3.0: Alice says I am Alice and sends her secret password to prove it. Failure scenario? 23. Authentication: yet another try Protocol ap3.1: Alice says I am Alice and sends her encryptedsecret password to prove it. Failure scenario? I am Alice encrypt(password) 24. Authentication: yet another try Goal: avoid playback attack Failures, drawbacks? Figure 7.11 goes here Nonce: number (R) used only once in a lifetime ap4.0: to prove Alice live, Bob sends Alicenonce , R.Alice must return R, encrypted with shared secret key 25. Authentication: ap5.0

- ap4.0 requires shared symmetric key

- problem: how do Bob, Alice agree on key

- can we authenticate using public key techniques?

- ap5.0:use nonce, public key cryptography

Figure 7.12 goes here 26. ap5.0: security hole

- Man (woman) in the middle attack:Trudy poses as Alice (to Bob) and as Bob (to Alice)

Figure 7.14 goes here 27. Digital Signatures

- Cryptographic technique analogous to hand-written signatures.

- Sender (Bob) digitally signs document,establishing he is document owner/creator.

- Verifiable, nonforgeable:recipient (Alice) can verify that Bob, and no one else, signed document.

- Simple digital signature for message m:

- Bob encrypts m with his private key d B , creating signed message, d B (m).

- Bob sends m and d B (m) to Alice.

28. Digital Signatures (more)

- Suppose Alice receives msgm , and digital signatured B (m)

- Alice verifiesmsigned by Bob by applying Bobs public keye Btod B (m) thencheckse B (d B (m) ) = m.

- Ife B (d B (m) ) = m , whoever signedmmust have used Bobs private key.

- Alice thus verifies that:

- Bob signedm .

- No one else signedm .

- Bob signed m and notm .

- Non-repudiation:

- Alice can takem , and signatured B (m)to court and prove that Bob signedm .

29. Message Digests

- Computationally expensive to public-key-encrypt long messages

- Goal:fixed-length,easy to compute digital signature, fingerprint

- apply hash function H tom , get fixed size message digest,H(m).

- Hash function properties:

- Produces fixed-size msg digest (fingerprint)

- Given message digest x, computationally infeasible to find m such that x = H(m)

- computationally infeasible to find any two messages m and m such that H(m) = H(m).

30. Digital signature = Signed message digest

- Bob sends digitally signed message:

- Alice verifies signature and integrity of digitally signed message:

31. Hash Function Algorithms

- Internet checksum would make a poor message digest.

- Too easy to find two messages with same checksum.

- MD5 hash function widely used.

- Computes 128-bit message digest in 4-step process.

- arbitrary 128-bit string x, appears difficult to construct msg m whose MD5 hash is equal to x.

- SHA-1 is also used.

- US standard

- 160-bit message digest

32. Trusted Intermediaries

- Problem:

Related Documents See more >