Computer Network 2
Download
Report
Transcript Computer Network 2
Cryptography &
Network Security
MSc. NGUYEN CAO DAT
Dr. TRAN VAN HOAI
Principles of modern ciphers
Implement crypto library
Network Security Applications
System Security
1
BK
TP.HCM
Course details
Number of credits: 3
Study time allocation per week:
2 lecture hours for theory
2 lecture hours for lab, exercises
6 hours for self-study
Website: http://www.cse.hcmut.edu.vn/~dat
2
BK
TP.HCM
Course outline (1/2)
Basics of Cryptography
▫ Symmetric key
▫ Public key
▫ Hash function
Network Security Applications
▫ Authentication applications
▫ E-mail security
3
BK
TP.HCM
Course outline (2/2)
Network Security Applications (con’t)
▫ Web security
▫ IP security
System Security
▫ IDS/IPS
▫ Firewalls
▫…
4
BK
TP.HCM
References
[1] “Cryptography and Network Security
Principles and Practices”, W. Stallings, 4th ed.,
Prentice Hall, 2005
[2] Slides “Cryptography and Network Security”,
Bộ môn Hệ thống và Mạng, Khoa Khoa học và
Kỹ thuật máy tính, ĐHBK Tp.HCM.
5
BK
TP.HCM
Assessment Scheme
Attending lectures: >80% lecture times
Reading textbooks and references
Self-study and working in group
Lab: 20%
Assignments: 20%
Midterm Exam: 20%, multiple question choice
test – 45’
Final Exam: 40%, multiple question choice test
– 60’
6
Chapter 1
Introduction
MSc. NGUYEN CAO DAT
Dr. TRAN VAN HOAI
7
BK
TP.HCM
Background
Information Security requirements have
changed in recent times.
traditionally provided by physical and
administrative mechanisms.
computer use requires automated tools to
protect files and other stored information.
use of networks and communications links
requires measures to protect data during
transmission.
8
BK
TP.HCM
Definitions
Computer Security - generic name for the
collection of tools designed to protect data and
to thwart hackers.
Network Security - measures to protect data
during their transmission.
Internet Security - measures to protect data
during their transmission over a collection of
interconnected networks.
9
BK
TP.HCM
Aim of Course
our focus is on Internet Security
which consists of measures to deter, prevent,
detect, and correct security violations that
involve the transmission & storage of
information
10
BK
TP.HCM
Security Trends
11
12
BK
TP.HCM
BK
TP.HCM
OSI Security Architecture
ITU-T X.800 “Security Architecture for OSI”
defines a systematic way of defining and
providing security requirements
for us it provides a useful, if abstract, overview
of concepts we will study
13
BK
TP.HCM
Aspects of Security
consider 3 aspects of information security:
▫ security attack
▫ security mechanism
▫ security service
14
BK
TP.HCM
Security Attack
any action that compromises the security of
information owned by an organization
information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
often threat & attack used to mean same thing
have a wide range of attacks
can focus of generic types of attacks
▫ passive
▫ active
15
BK
TP.HCM
Classify Security Attacks
passive attacks - eavesdropping on, or
monitoring of, transmissions to:
▫ obtain message contents, or
▫ monitor traffic flows
active attacks – modification of data stream to:
▫
▫
▫
▫
masquerade of one entity as some other
replay previous messages
modify messages in transit
denial of service
16
BK
TP.HCM
Types of Attacks
17
BK
TP.HCM
Passive Attacks
18
BK
TP.HCM
Active Attacks
19
BK
TP.HCM
Security Service
▫ enhance security of data processing systems
and information transfers of an organization
▫ intended to counter security attacks
▫ using one or more security mechanisms
▫ often replicates functions normally associated
with physical documents
20
BK
TP.HCM
Security Services
X.800
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”
RFC 2828
“a processing or communication service provided
by a system to give a specific kind of protection
to system resources”
21
BK
TP.HCM
Security Services (X.800)
Authentication - assurance that the
communicating entity is the one claimed
Access Control - prevention of the
unauthorized use of a resource
Data Confidentiality –protection of data from
unauthorized disclosure
Data Integrity - assurance that data received is
as sent by an authorized entity
Non-Repudiation - protection against denial by
one of the parties in a communication
22
BK
TP.HCM
Security Mechanism
feature designed to detect, prevent, or recover
from a security attack
no single mechanism that will support all
services required
however one particular element underlies many
of the security mechanisms in use:
▫ cryptographic techniques
hence our focus on this topic
23
BK
TP.HCM
Security Mechanisms (X.800)
specific security mechanisms
▫ encipherment, digital signatures, access
controls, data integrity, authentication exchange,
traffic padding, routing control, notarization
pervasive security mechanisms
▫ trusted functionality, security labels, event
detection, security audit trails, security recovery
24
BK
TP.HCM
Model for Network Security
25
BK
TP.HCM
Model for Network Security
using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by
the algorithm
3. develop methods to distribute and share the
secret information
4. specify a protocol enabling the principals to use
the transformation and secret information for a
security service
26
BK
TP.HCM
Model for Network Access Security
27
BK
TP.HCM
Model for Network Access Security
using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated information
or resources
trusted computer systems may be useful to
help implement this model
28
BK
TP.HCM
Cryptography
29
BK
TP.HCM
Cryptography
characterize cryptographic system by:
▫ type of encryption operations used
substitution / transposition / product
▫ number of keys used
single-key or private / two-key or public
▫ way in which plaintext is processed
block / stream
30
BK
TP.HCM
Cryptanalysis
objective to recover key not just
message
general approaches:
▫ cryptanalytic attack
▫ brute-force attack
31
BK
TP.HCM
Cryptanalytic Attacks
ciphertext only
▫ only know algorithm & ciphertext, is statistical,
know or can identify plaintext
known plaintext
▫ know/suspect plaintext & ciphertext
chosen plaintext
▫ select plaintext and obtain ciphertext
chosen ciphertext
▫ select ciphertext and obtain plaintext
chosen text
▫ select plaintext or ciphertext to en/decrypt
32
BK
TP.HCM
More Definitions
unconditional security
▫ no matter how much computer power or time is
available, the cipher cannot be broken since the
ciphertext provides insufficient information to
uniquely determine the corresponding plaintext
computational security
▫ given limited computing resources (eg time
needed for calculations is greater than age of
universe), the cipher cannot be broken
33
BK
TP.HCM
Brute Force Search
always possible to simply try every key
most basic attack, proportional to key size
assume either know / recognise plaintext
Key Size (bits)
Number of Alternative
Keys
Time required at 1
decryption/µs
Time required at 106
decryptions/µs
32
232 = 4.3 109
231 µs
= 35.8 minutes
2.15 milliseconds
56
256 = 7.2 1016
255 µs
= 1142 years
10.01 hours
128
2128 = 3.4 1038
2127 µs
= 5.4 1024 years
5.4 1018 years
168
2168 = 3.7 1050
2167 µs
= 5.9 1036 years
5.9 1030 years
26! = 4 1026
2 1026 µs = 6.4 1012 years
26 characters
(permutation)
6.4 106 years
34
BK
TP.HCM
Summary
have considered:
▫ definitions for:
computer, network, internet security
X.800 standard
security attacks, services, mechanisms
models for network (access) securityto
Cryptography, cryptanalysis
35
BK
TP.HCM
Self study
Symmetric Cipher Model
Classical Substitution Ciphers
▫
▫
▫
▫
▫
Caesar Cipher
Monoalphabetic Cipher
Playfair Cipher
Polyalphabetic Ciphers
Vigenère Cipher
Cryptanalysis using letter frequencies
36