Transcript Chap. 8 - WINSLab

Ch 8. Security in computer networks
Myungchul Kim
[email protected]
What is network security?
Confidentiality: only sender, intended receiver should “understand”
message contents
– sender encrypts message
– receiver decrypts message
Authentication: sender, receiver want to confirm identity of each other
Message integrity: sender, receiver want to ensure message not altered
(in transit, or afterwards) without detection
Access and availability: services must be accessible and available to
users
2
There are bad guys (and girls)
out there!
Q: What can a “bad guy” do?
A: a lot!
eavesdrop: intercept messages
 actively insert messages into connection
 impersonation: can fake (spoof) source

address in packet (or any field in packet)
 hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself
in place
 denial of service: prevent service from being
used by others (e.g., by overloading resources)
more on this later ……
8-3
4
Principles of cryptography
–
–
–

The encryption technique is known – published, standardized,
and available to everyone.
Symmetric key systems
Public key systems
Symmetric key cryptography
–
Block ciphers

PGP, SSL, IPsec
5
Symmetric key crypto: DES
DES: Data Encryption Standard




US encryption standard [NIST 1993]
56-bit symmetric key, 64-bit plaintext input
How secure is DES?
– DES Challenge: 56-bit-key-encrypted phrase (“Strong
cryptography makes the world a safer place”) decrypted (brute
force) in 4 months
– no known “backdoor” decryption approach
making DES more secure:
– use three keys sequentially (3-DES) on each datum
– use cipher-block chaining
6
Symmetric key
crypto: DES
DES operation
initial permutation
16 identical “rounds” of
function application, each
using different 48 bits of
key
final permutation
7
AES: Advanced Encryption Standard




new (Nov. 2001) symmetric-key NIST standard,
replacing DES
processes data in 128 bit blocks
128, 192, or 256 bit keys
brute force decryption (try each key) taking 1 sec on
DES, takes 149 trillion years for AES
8

Public key encryption
–
–
–
Diffie and Hellman, 1976
For encryption, authentication, digital signature
A public key available to every one and a private key that is
known only to a person
9
Message integrity
–
Cryptographic hash function



–
Originated from …
Not tampered with on its way to …
A cryptograhic hash function: it is computationaly infeasible to find
any two different messages x and y such that H(x) = H(y).
MD5 (128-bit hash)
10
11

Message authentication code
12

Digital signatures
–
Verifiable and nonforgeable
13
14
15

Public key certification
–
–
–
Verify that you have the actual public key fo the entity
Certification Authority: binding a public key to a particular entity
ITU X.509
16
17
A certificate contains:


Serial number (unique to issuer)
info about certificate owner, including algorithm and key value
itself (not shown)



info about
certificate
issuer
valid dates
digital
signature by
issuer
18
End-point authentication
–
The process of proving one’s identity to someone else.
19
20
21
- nonce: once in a lifetime
22
23
24
25
Securing E-mail
–
Confidentiality, sender authentication, message integrity, receiver
authentication
26
27
Pretty Good Privacy (PGP): MD5 or SHA for message
digest; CAST, triple-DES or IDEA for symmetric key
encryption and RSA for the public key encryption
28
Securing TCP connections: SSL
–
–
Secure Sockets Layer (SSL)
Transport Layer Security (TLS)
29
–
Handshake, key distribution, and data transfer
30
Network-layer security: IPsec
–
–
–
–
Virtual private networks (VPNs)
Authentication Header (AH) protocol: source host authentication
and data integrity
Encapsulation Security Payload (ESP) protocol: … and
confidentiality
AH header: next header, security parameter index, sequence
number, authentication data
31
–
The ESP protocol

Key distribution
–
–
Manual
Automated: Internet Key Exchange protocol using public-key
cryptography
32
IEEE 802.11 security


war-driving: drive around Bay area, see what 802.11 networks
available?
– More than 9000 accessible from public roadways
– 85% use no encryption/authentication
– packet-sniffing and various attacks easy!
securing 802.11
– encryption, authentication
– first attempt at 802.11 security: Wired Equivalent Privacy (WEP):
a failure
– current attempt: 802.11i
33
Securing wireless LANs

Wired equivalent privacy (WEP)
–
–
–
Authentication and data encryption
Symmetric shared key
No key distribution
34

IEEE 802.11i
35
36
Firewalls and Intrusion Detection
Systems

The goals of firewall
–
–
–
All traffic from outside to inside, and vice versa, passes through
the firewall
Only authorized traffic, as defined by the local security policy, will
be allowed to pass.
The firewall itself is immune to penetration.
37

Traditional packet filters
–
Filtering decision







IP source or destination address
Protocol type in IP datagram field: TCP, UDP, ICMP, OSPF, …
TCP or UDP source and destination port
TCP flag bits: SYN, ACK, …
ICMP message type
Different rules for datagrams leaving and entering the network
Different rules for the different router interfaces.
38
Stateless packet filtering: more examples
Policy
Firewall Setting
No outside Web access.
Drop all outgoing packets to any IP address,
port 80
No incoming TCP connections, except
those for institution’s public Web server
only.
Drop all incoming TCP SYN packets to any IP
except 130.207.244.203, port 80
Prevent Web-radios from eating up the
available bandwidth.
Drop all incoming UDP packets - except DNS
and router broadcasts.
Prevent your network from being used for Drop all ICMP packets going to a “broadcast”
address (eg 130.207.255.255).
a smurf DoS attack.
Prevent your network from being
tracerouted
Drop all outgoing ICMP TTL expired traffic
39
- Access control list for 222.22/16
40

stateful packet filters
–
–

Actually track TCP connections
Check connections
Application gateway
–
–
Policy decision based on application data
Disadvantages



A different application gateway for each application
Perfrance penalty
The client software must know how to contact the gateway
41
42

Intrusion detection systems
–
–
–
–
–
Deep packet inspection
A high-security region and a lower-security region (demilitarized
zone(DMZ))
Signature-based system: require previous knowledge of the
attach to generate an accurate signature
Anomaly-based system: create a traffic profile
Example: snort
43
44