Introduction - Sensorweb Research Laboratory
Download
Report
Transcript Introduction - Sensorweb Research Laboratory
CSc 8222 Network Security
WenZhan Song
Department of Computer Science,
Georgia State University
Cryptography and Network Security
1
Notice©
This lecture note (Cryptography and Network Security) has benefited
from numerous textbooks and online materials. Especially Prof.
Xiang-Yang Li’s lecture slides, the “Cryptography and Network
Security” 2nd edition by William Stallings and the “Cryptography:
Theory and Practice” by Douglas Stinson.
You may not modify, publish, or sell, reproduce, create derivative
works from, distribute, perform, display, or in any way exploit any
of the content, in whole or in part, except as otherwise expressly
permitted by the author.
The author has used his best efforts in preparing this lecture note.
The author makes no warranty of any kind, expressed or implied,
with regard to the programs, protocols contained in this lecture
note. The author shall not be liable in any event for incidental or
consequential damages in connection with, or arising out of, the
furnishing, performance, or use of these.
Cryptography and Network Security
2
About Instructor
Professor GSU
Director of Sensorweb Research Laboratory
Research Interests:
Sensing, Computing, Communication, Control and Security in
Cyber-Physical Systems
Applications and Systems for Environment Monitoring, Smart
Grid, Mobile Health
Contact Information
Phone 404-413-5734
Email: [email protected]
Cryptography and Network Security
3
Office and Office hours
Office
25 Park Pl NE, Suite 753
Office hours
Monday and Wednesday 1:30PM – 2:30PM.
Or by appointment: email [email protected]
Cryptography and Network Security
4
Grading and Others
Grading (proportion may change)
Attendance
5%
Homework
45%
Presentation 20%
Project
30% (you may select your own topic),
Policy
Do it yourself
Can use library, Internet and so on, but you have to cite the sources
when you use this information
Cryptography and Network Security
5
Homeworks
Do it independently
No discussion
No copy
Can use reference books
Write your name also,
you could discuss with
classmates then write your own
report (about 10 pages for the
topic you selected)
Staple your solution
For report,
Type your solution, and
print to submit before class
on due date
For project (presentation
and programming)
You SHOULD collaborate
with your group member and
you SHOULD make enough
contributions to get credit
Cryptography and Network Security
6
Topics and Outline
Cryptography and Number Theory
Symmetric Encryption and Message Confidentiality
Public-Key Cryptography and Message Authentication
Network Security Applications
Key Distribution and User Authentication
Network Access Control and Cloud Security
Transport-level Security
Wireless Network Security
E-Mail Security
IP Security
System Security
Malicious Software
Intruders
Firewalls
Other topics: smart grid security, deeper number theory
Cryptography and Network Security
7
Network Security
Introduction
Cryptography and Network Security
8
Introduction
The art of war teaches us not on the likelihood
of the enemy’s not coming, but on our own
readiness to receive him; not on the chance of
his not attacking, but rather on the fact that
we have made our position unassailable.
--The art of War, Sun Tzu
Cryptography and Network Security
9
Criteria for Desirable Cryptosystems
Confidence in Security established
Hard or intractable problems?
Practical Efficiency
Space, time and so on
Explicitness
About its environment assumptions, security service
offered, special cases in math assumptions,
Protection tuned to application needs
No less, no more
Openness
Cryptography and Network Security
10
Most important
Security first
Efficiency, resource utilization, and
security tradeoffs
This is especially the case for resource constrained
networks such as wireless sensor networks
Limited power supply (thus limited communication, and
computation), limited storage space
Cryptography and Network Security
11
Cryptography
Cryptography (from Greek kryptós, "hidden", and
gráphein, "to write") is, traditionally, the study of
means of converting information from its normal,
comprehensible form into an incomprehensible
format, rendering it unreadable without secret
knowledge — the art of encryption.
Past: Cryptography helped ensure secrecy in
important communications, such as those of spies,
military leaders, and diplomats.
In recent decades, cryptography has expanded its
remit in two ways
mechanisms for more than just keeping secrets: schemes like
digital signatures and digital cash, for example.
in widespread use by many civilians, and users are not aware of it.
Cryptography and Network Security
12
Crypto-graphy, -analysis, -logy
The study of how to circumvent the use of cryptography is
called cryptanalysis, or codebreaking.
Cryptography and cryptanalysis are sometimes grouped
together under the umbrella term cryptology, encompassing
the entire subject.
In practice, "cryptography" is also often used to refer to
the field as a whole; crypto is an informal abbreviation.
Cryptography is an interdisciplinary subject,
linguistics
mathematics: number theory, information theory, computational
complexity, statistics and combinatorics
engineering
Cryptography and Network Security
13
Close, but different fields
Steganography
the study of hiding the very existence of a message, and not
necessarily the contents of the message itself (for example,
microdots, or invisible ink)
http://en.wikipedia.org/wiki/Steganography
Traffic analysis
which is the analysis of patterns of communication in order
to learn secret information
The messages could be encrypted
http://en.wikipedia.org/wiki/Traffic_analysis
Cryptography and Network Security
14
Stenography Example
Image of a tree with a steganographically hidden image. The hidden image
is revealed by removing all but the two least significant bits of each color
component and a subsequent normalization. The hidden image is shown on
the right: a cat - extracted from the tree image above.
15
Tools for Stenography
http://www.jjtc.com/Steganography/toolm
atrix.htm
Cryptography and Network Security
16
Network Security Model
Trusted Third Party
principal
principal
Security
transformation
Security
transformation
attacker
Cryptography and Network Security
17
Attacks, Services and Mechanisms
Security Attacks
Action compromises the information security
Could be passive or active attacks
Security Services
Actions that can prevent, detect such attacks.
Such as authentication, identification, encryption, signature, secret
sharing and so on.
Security mechanism
The ways to provide such services
Detect, prevent and recover from a security attack
Cryptography and Network Security
18
Attacks
Passive attacks
Interception
Release of message contents
Traffic analysis
Active attacks
Interruption, modification, fabrication
Masquerade
Replay
Modification
Denial of service
Cryptography and Network Security
19
Information Transferring
Cryptography and Network Security
20
Attack: Interruption
Cut wire lines,
Jam wireless
signals,
Drop packets,
Cryptography and Network Security
21
Attack: Interception
Wiring,
eavesdrop
Cryptography and Network Security
22
Attack: Modification
intercept
Replaced
info
Cryptography and Network Security
23
Attack: Fabrication
Also called impersonation
Cryptography and Network Security
24
Attacks, Services and Mechanisms
Security Attacks
Action compromises the information security
Could be passive or active attacks
Security Services
Actions that can prevent, detect such attacks.
Such as authentication, identification, encryption, signature, secret
sharing and so on.
Security mechanism
The ways to provide such services
Detect, prevent and recover from a security attack
Cryptography and Network Security
25
Important Services of Security
Confidentiality, also known as secrecy:
Integrity:
the recipient should be able to determine if the message has been
altered during transmission.
Authentication:
only an authorized recipient should be able to extract the
contents of the message from its encrypted form. Otherwise, it
should not be possible to obtain any significant information
about the message contents.
the recipient should be able to identify the sender, and verify
that the purported sender actually did send the message.
Non-repudiation:
the sender should not be able to deny sending the message.
Cryptography and Network Security
26
Secure Communication
protecting data locally only solves a minor
part of the problem. The major challenge
that is introduced by the Web Service
security requirements is to secure data
transport between the different
components. Combining mechanisms at
different levels of the Web Services
protocol stack can help secure data
transport (see figure next page).
Cryptography and Network Security
27
Secure Communication
Cryptography and Network Security
28
Secure Communication
The combined protocol HTTP/TLS or SSL is often
referred to as HTTPS (see figure). SSL was
originally developed by Netscape for secure
communication on the Internet, and was built into
their browsers. SSL version 3 was then adopted
by IETF and standardized as the Transport Layer
Security (TLS) protocol.
Use of Public Key Infrastructure (PKI) for session
key exchange during the handshake phase of TLS
has been quite successful in enabling Web
commerce in recent years.
TLS also has some known vulnerabilities: it is
susceptible to man-in-the-middle attacks and
denial-of-service attacks.
Cryptography and Network Security
29
SOAP security
SOAP (Simple Object Access Protocol) is designed to pass
through firewalls as HTTP. This is disquieting from a
security point of view. Today, the only way we can recognize
a SOAP message is by parsing XML at the firewall. The
SOAP protocol makes no distinction between reads and
writes on a method level, making it impossible to filter away
potentially dangerous writes. This means that a method
either needs to be fully trusted or not trusted at all.
The SOAP specification does not address security issues
directly, but allows for them to be implemented as
extensions.
As an example, the extension SOAP-DSIG defines the syntax and
processing rules for digitally signing SOAP messages and validating
signatures. Digital signatures in SOAP messages provide integrity and
non-repudiation mechanisms.
Cryptography and Network Security
30
PKI
PKI key management provides a sophisticated framework for
securely exchanging and managing keys. The two main
technological features, which a PKI can provide to Web
Services, are:
Encryption of messages: by using the public key of the recipient
Digital signatures: non-repudiation mechanisms provided by PKI and
defined in SOAP standards may provide Web Services applications with
legal protection mechanisms
Note that the features provided by PKI address the same
basic needs as those that are recognized by the
standardization organizations as being important in a Web
Services context.
In Web Services, PKI mainly intervenes at two levels:
At the SOAP level (non-repudiation, integrity)
At the HTTPS level (TLS session negotiation, eventually assuring
authentication, integrity and privacy)
Cryptography and Network Security
31
Some basic Concepts
Cryptography and Network Security
32
Cryptography
Cryptography is the study of
Secret (crypto-) writing (-graphy)
Concerned with developing algorithms:
Conceal the context of some message from all except
the sender and recipient (privacy or secrecy), and/or
Verify the correctness of a message to the recipient
(authentication)
Form the basis of many technological solutions to
computer and communications security problems
Cryptography and Network Security
33
Basic Concepts
Cryptography
encompassing the principles and methods of transforming
an intelligible message into one that is unintelligible, and
then retransforming that message back to its original form
Plaintext
The original intelligible message
Ciphertext
The transformed message
Message
Is treated as a non-negative integer hereafter
Cryptography and Network Security
34
Basic Concepts
Cipher
An algorithm for transforming an intelligible message
into unintelligible by transposition and/or substitution,
or some other techniques
Keys
Some critical information used by the cipher, known
only to the sender and/or receiver
Encipher (encode)
The process of converting plaintext to ciphertext
Decipher (decode)
The process of converting ciphertext back into plaintext
Cryptography and Network Security
35
Basic Concepts
cipher
an algorithm for encryption and decryption. The exact
operation of ciphers is normally controlled by a key — some
secret piece of information that customizes how the
ciphertext is produced
Protocols
specify the details of how ciphers (and other cryptographic
primitives) are to be used to achieve specific tasks.
A suite of protocols, ciphers, key management, userprescribed actions implemented together as a system
constitute a cryptosystem;
this is what an end-user interacts with, e.g. PGP
Cryptography and Network Security
36
Encryption and Decryption
Decipher P = D(K2)(C)
ciphertext
Plaintext
Encipher C = E(K1)(P)
K1, K2: from keyspace
These two keys could be different;
could be difficult to get one from the other
Cryptography and Network Security
37
What is Security?
Two fundamentally different securities
Unconditional security
No matter how much computer power is available, the cipher
cannot be broken
Using Shannon’s information theory
The entropy of the message I(M) is same as the entropy of the
message I(M|C) when known the ciphertext (and possible more)
Computational security
Given limited computing resources (e.g time needed for
calculations is greater than age of universe), the cipher
cannot be broken
What do we mean “broken”?
Proved by some complexity equivalence approach
Cryptography and Network Security
38