Part I: Introduction - Computer Science Division

Download Report

Transcript Part I: Introduction - Computer Science Division

Last class
 Ethernet
 Hubs and Switches
 Mobile and wireless networks, CDMA
Today
 CDMA and IEEE 802.11 wireless LANs
 Network security
1
10BaseT and 100BaseT Ethernet
 Uses CSMA/CD
 10/100 Mbps rate; latter called “fast ethernet”
 T stands for Twisted Pair
 Nodes connect to a hub: “star topology”; 100 m
max distance between nodes and hub
twisted pair
hub
2
Interconnecting with hubs
Pros:
Cons:
 Enables interdepartmental
 Collision domains are
communication
 Extends max distance btw.
nodes
 If a hub malfunctions, the
backbone hub can
disconnect it
hub
transferred into one large,
common domain
 Cannot interconnect
10BaseT and 100BaseT
hub hubs
hub
hub
3
Switch: traffic isolation
 switch installation breaks subnet into LAN
segments
 switch filters packets:
 same-LAN-segment frames not usually
forwarded onto other LAN segments
 segments become separate collision domains
switch
collision
domain
hub
collision domain
hub
collision domain
hub
4
Wireless network characteristics
Multiple wireless senders and receivers create
additional problems (beyond multiple access):
C
A
B
A
B
Hidden terminal problem
C
C’s signal
strength
A’s signal
strength
space
 B, A hear each other
Signal fading:
 A, C can not hear each other
 B, C hear each other
 B, C hear each other
 B, A hear each other
means A, C unaware of their
interference at B
 A, C can not hear each other
interferring at B
5
Overview
 CDMA and IEEE 802.11 wireless LANs
 Network security
6
Code Division Multiple Access (CDMA)
 used in several wireless broadcast channels





(cellular, satellite, etc) standards
unique “code” assigned to each user; i.e., code set
partitioning
all users share same frequency, but each user has
own “chipping” sequence (i.e., code) to encode data
encoded signal = (original data) X (chipping
sequence)
decoding: inner-product of encoded signal and
chipping sequence
allows multiple users to “coexist” and transmit
simultaneously with minimal interference (if codes
are “orthogonal”)
7
CDMA Encode/Decode
sender
d0 = 1
data
bits
code
Zi,m= di.cm
-1 -1 -1
1
-1
1 1 1
-1 -1 -1
slot 1
-1
slot 1
channel
output
1
-1
1 1 1 1 1 1
1
d1 = -1
1 1 1
channel output Zi,m
-1 -1 -1
slot 0
1
-1
-1 -1 -1
slot 0
channel
output
M
Di = S Zi,m.cm
m=1
received
input
code
receiver
1 1 1 1 1 1
1
-1 -1 -1
-1
1 1 1
1
-1
-1 -1 -1
-1
1 1 1
-1 -1 -1
slot 1
M
1
1
-1
-1 -1 -1
slot 0
d0 = 1
d1 = -1
slot 1
channel
output
slot 0
channel
output
8
CDMA: two-sender interference
9
Overview
 CDMA and IEEE 802.11 wireless LANs
 Network security
10
IEEE 802.11 Wireless LAN
 802.11b
 2.4-5 GHz unlicensed
radio spectrum
 up to 11 Mbps
 direct sequence spread
spectrum (DSSS) in
physical layer
• all hosts use same
chipping code
 widely deployed, using
base stations
 802.11a
 5-6 GHz range
 up to 54 Mbps
 802.11g
 2.4-5 GHz range
 up to 54 Mbps
 All use CSMA/CA for
multiple access
 All have base-station
and ad-hoc network
versions
11
802.11 LAN architecture
 wireless host communicates
Internet
AP
hub, switch
or router
BSS 1
AP
BSS 2
with base station
 base station = access
point (AP)
 Basic Service Set (BSS)
(aka “cell”) in infrastructure
mode contains:
 wireless hosts
 access point (AP): base
station
 ad hoc mode: hosts only
12
802.11: Channels, association
 802.11b: 2.4GHz-2.485GHz spectrum divided into
11 channels at different frequencies
 AP admin chooses frequency for AP
 interference possible: channel can be same as
that chosen by neighboring AP!
 host: must associate with an AP
 scans channels, listening for beacon frames
containing AP’s name (SSID) and MAC address
 selects AP to associate with
 may perform authentication [Chapter 8]
 will typically run DHCP to get IP address in AP’s
subnet
13
IEEE 802.11: multiple access
 avoid collisions: 2+ nodes transmitting at same time
 802.11: CSMA - sense before transmitting
 don’t collide with ongoing transmission by other node
 802.11: no collision detection!
 difficult to receive (sense collisions) when transmitting due
to weak received signals (fading)
 can’t sense all collisions in any case: hidden terminal, fading
 goal: avoid collisions: CSMA/C(ollision)A(voidance)
A
C
A
B
B
C
C’s signal
strength
A’s signal
strength
space
14
IEEE 802.11 MAC Protocol: CSMA/CA
802.11 sender
1 if sense channel idle for DIFS then
transmit entire frame (no CD)
2 if sense channel busy then
- start random backoff time
- timer counts down while channel idle
- transmit when timer expires
- if no ACK, increase random backoff
interval, repeat 2
802.11 receiver
- if frame received OK
sender
receiver
DIFS
data
SIFS
ACK
return ACK after SIFS (ACK needed due
to hidden terminal problem)
15
Avoiding collisions (more)
idea: allow sender to “reserve” channel rather than random
access of data frames: avoid collisions of long data frames
 sender first transmits small request-to-send (RTS) packets
to BS using CSMA
 RTSs may still collide with each other (but they’re short)
 BS broadcasts clear-to-send CTS in response to RTS
 RTS heard by all nodes
 sender transmits data frame
 other stations defer transmissions
Avoid data frame collisions completely
using small reservation packets!
16
Collision Avoidance: RTS-CTS exchange
A
AP
B
reservation collision
DATA (A)
defer
time
17
802.11 frame: addressing
2
2
6
6
6
frame
address address address
duration
control
1
2
3
Address 1: MAC address
of wireless host or AP
to receive this frame
2
6
seq address
4
control
0 - 2312
4
payload
CRC
Address 4: used only
in ad hoc mode
Address 3: MAC address
of router interface to
which AP is attached
Address 2: MAC address
of wireless host or AP
transmitting this frame
18
802.11 frame: addressing
R1 router
H1
Internet
AP
R1 MAC addr AP MAC addr
dest. address
source address
802.3 frame
AP MAC addr H1 MAC addr R1 MAC addr
address 1
address 2
address 3
802.11 frame
19
802.11: mobility within same subnet
 H1 remains in same IP
subnet: IP address
can remain same
 switch: which AP is
associated with H1?
 self-learning
(Ch. 5):
switch will see frame
from H1 and
“remember” which
switch port can be
used to reach H1
router
hub or
switch
BBS 1
AP 1
AP 2
H1
BBS 2
20
Network Security
What is network security?
Principles of cryptography
Authentication
Access control: firewalls
Attacks and counter measures
21
What is network security?
Confidentiality: only sender, intended receiver
should “understand” message contents
 sender encrypts message
 receiver decrypts message
Authentication: sender, receiver want to confirm
identity of each other
Message Integrity: sender, receiver want to ensure
message content not altered (in transit, or
afterwards) without detection
Access and Availability: services must be accessible
and available to users
22
Friends and enemies: Alice, Bob, Trudy
 well-known in network security world
 Bob, Alice (lovers!) want to communicate “securely”
 Trudy (intruder) may intercept, delete, add messages
Alice
data
channel
secure
sender
Bob
data, control
messages
secure
receiver
data
Trudy
23
Who might Bob, Alice be?
 … well, real-life Bobs and Alices!
 Web browser/server for electronic
transactions (e.g., on-line purchases)
 on-line banking client/server
 DNS servers
 routers exchanging routing table updates
 other examples?
24
There are bad guys (and girls) out there!
Q: What can a “bad guy” do?
A: a lot!
eavesdrop: intercept messages
 actively insert messages into connection
 impersonation: can fake (spoof) source address
in packet (or any field in packet)
 hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself
in place
 denial of service: prevent service from being
used by others (e.g., by overloading resources)

more on this later ……
25
Overview
What is network security?
Principles of cryptography
Authentication
Access control: firewalls
Attacks and counter measures
26
The language of cryptography
Alice’s
K encryption
A
key
plaintext
encryption
algorithm
ciphertext
Bob’s
K decryption
B key
decryption plaintext
algorithm
symmetric key crypto: sender, receiver keys identical
public-key crypto: encryption key public, decryption key
secret (private)
27
Symmetric key cryptography
substitution cipher: substituting one thing for another

monoalphabetic cipher: substitute one letter for another
plaintext:
abcdefghijklmnopqrstuvwxyz
ciphertext:
mnbvcxzasdfghjklpoiuytrewq
E.g.:
Plaintext: bob. i love you. alice
ciphertext: nkn. s gktc wky. mgsbc
Q: How hard to break this simple cipher?:
 brute force (how hard?)
 other?
28
Symmetric key cryptography
KA-B
KA-B
plaintext
message, m
encryption ciphertext
algorithm
K (m)
A-B
decryption plaintext
algorithm
m = K ( KA-B(m) )
A-B
symmetric key crypto: Bob and Alice share know same
(symmetric) key: K
A-B
 e.g., key is knowing substitution pattern in mono
alphabetic substitution cipher
 Q: how do Bob and Alice agree on key value?
29
Symmetric key crypto: DES
DES: Data Encryption Standard
 US encryption standard [NIST 1993]
 56-bit symmetric key, 64-bit plaintext input
 How secure is DES?
DES Challenge: 56-bit-key-encrypted phrase
(“Strong cryptography makes the world a safer
place”) decrypted (brute force) in 4 months
 no known “backdoor” decryption approach
 making DES more secure:
 use three keys sequentially (3-DES) on each datum
 use cipher-block chaining

30
Symmetric key
crypto: DES
DES operation
initial permutation
16 identical “rounds” of
function application,
each using different
48 bits of key
final permutation
31
AES: Advanced Encryption Standard
 new (Nov. 2001) symmetric-key NIST
standard, replacing DES
 processes data in 128 bit blocks
 128, 192, or 256 bit keys
 brute force decryption (try each key)
taking 1 sec on DES, takes 149 trillion
years for AES
32
Public Key Cryptography
symmetric key crypto
 requires sender,
receiver know shared
secret key
 Q: how to agree on key
in first place
(particularly if never
“met”)?
public key cryptography
 radically different
approach [DiffieHellman76, RSA78]
 sender, receiver do
not share secret key
 public encryption key
known to all
 private decryption
key known only to
receiver
33
Public key cryptography
+ Bob’s public
B key
K
K
plaintext
message, m
encryption ciphertext
algorithm
+
K (m)
B
- Bob’s private
B key
decryption plaintext
algorithm message
+
m = K B(K (m))
B
34
Public key encryption algorithms
Requirements:
1
2
+
need K ( ) and K - ( ) such that
B
B
- +
K (K (m)) = m
B B
.
.
+
given public key KB , it should be
impossible to compute
private key KB
RSA: Rivest, Shamir, Adelson algorithm
35