Transcript Security services

Data & Network Security
Mehrdad Nourani
1
Session 09
Security Services &
Traffic Confidentiality
2
Security Management, Services
and Threats
3
Security Management
• Security management functions are concerned with
the management, control, and administration of
security services for all secured entities within the
security domain according to the defined policies.
• Security management is responsible for the
installation, monitoring, tuning, and restructuring of
the available security services. Functions of security
management include control and distribution,
monitoring, event logging, event reporting, security
audit trail and security recovery.
• Based on the corresponding policy and target
systems/network some of these functions may not
apply or need not to be implemented.
4
Security Services
• Security services are remedies, defenses, and
countermeasures by which security threats are
countered.
• The specific implementation of each security
service is based on one or more security
mechanisms.
• In general, we define six security services aimed
to provide the following six basic security
objectives.
• Some of these services may appear "overlapping."
• key management is an important function that
has to be provided by any system involved in
providing security services and data encryption. 5
Security Services (I)
• Confidentiality and Privacy - is the
protection of information exchange and traffic
flow from unauthorized disclosure (or all passive
attacks).
• This service can be implemented at different
layers of communication protocols and/or at
several application/system levels.
6
Security Services (II)
• Integrity and Protection - is the protection of
information exchange and storage from mostly
active attacks and (wo)man-in-the-middle
attacks/
• It assures that information is received as sent,
with no duplication, insertion, modification,
reordering, or replay.
7
Security Services (III)
• Access Control and Authorization - in the
context of network security, is the protection,
limitation, and control of access to the host,
operating system, and applications via
communications links.
• Authorization is to provide access rights as
tailored to the individual user or application.
8
Security Services (IV)
• Non-repudiation and Accountability - is
concerned with preventing either sender or
receiver from denying an exchanged
information.
• Sometimes, an arrangement to use an unbiased
arbitrator, called a notary, is used when both
parties are suspicious users.
9
Security Services (V)
• Authentication - is concerned with assuring
that the communication is authentic, including
source of information, communicating systems
or applications, and/or users.
10
Security Services (VI)
• Availability and Non-Denial of Service - is
concerned with assuring that a communication
resource is not destroyed or blocked or becomes
unavailable or unusable to its authorized users.
• Denial of service means knocking off services
without permission, e.g., flooding the file server
with phony files causing a system crash, or
congesting remote access servers with
unauthorized access requests.
11
Security Threats
• A threat or security attack is a potential violation
of security or an intrusion for unauthorized,
illegitimate, malicious or fraudulent purposes.
• These attacks are aimed to compromise
security.
• The points of attack (or attacking points) can
occur at various weakness points within a
security perimeter, and can be at any level or
layer of realization, e.g., at the physical system
realization level, at the system or network level,
at the communication protocol level, and so on.
12
Security Threat Classification
• The nature of the attacks varies with the
circumstances and according to the defined
perimeter for the security.
• Threats may be classified by their:
— Type (e.g., accidental or intentional, passive or
active)
— Consequences
— Sources (e.g., users or programs)
— Objects of threats
13
Typical Intentional Threats
14
Typical Intentional Threats (cont.)
15
Some Products & Solutions
•
•
•
Some security products/solutions are designed
for a particular environment or for a special
application.
They are considered as custom-designed
combinations of the above services.
Examples of these are:
1. PGP (Pretty Good Privacy) - a widely used authentication
and confidentiality service.
2. Kerberos - an authentication protocol based on
conventional encryption to authenticate clients to
servers, and vice versa. The Version 5 Kerberos was
developed within the Internet community.
3. PEM (Privacy Enhancement Mail) - developed specifically
as an Internet Standard for electronic mail.
16
Businesses & Threats
17
Security Mechanism
• Security mechanisms are effective techniques and
schemes used to implement a given security service
with different degrees of complexity.
• Security services are designed to detect, prevent, or
recover from a security violation or attack.
• For example, an abstract service like data confidentiality
might be implemented using either the secret key data
encryption mechanism or public key data encryption
scheme.
• In most practical cases, a combination of security
mechanisms need to implement even one particular
security service.
— The services can be implemented either with strong
mechanism or with weak mechanism (low, medium, or
high security).
18
Well-Known Mechanisms
19
Security Perimeter & Domain
20
Security Borders
• In communications network environment and
where encryption (confidentiality and privacy) is
desired, security borders can be established
around:
—Link-by-link
—End-to-end (or application-to-application)
—User-to-user (operating system to operating system)
—Network edge-to-network edge
21
Link-by-Link Security
• Link-by-link security takes place at the lowest
layers, where every transaction through a
particular data-link is encrypted (secured).
• Examples of this are data encryption devices
placed at the physical and/or datalink layers.
• Key management in this case can be simple
because only the endpoints of the
communication link need to exchange keys
independent from the rest of the network.
• The main problem is that leaving any link in the
network unencrypted jeopardizes the security of
the entire network.
22
End-to-End Security
• If security is provided at higher layers, it is
called end-to-end, when information is
encrypted selectively and decrypted by the
intended final recipient.
• In this case, security devices are placed
between the network layer and transport layer.
• The security device must recognize protocols up
to network layer (layer 3) and encrypt only the
transport data units.
• One problem is that the system is open to traffic
analysis attack because the routing information
for the data is not generally encrypted.
23
Security at Higher Levels
• Data security and encryption can be performed
at higher layer and even for data storage.
• At the application level, a hierarchy of security
services may be defined, each providing security
against a different perceived threat.
• In general, security services are defined (within
a particular border against outside world) for:
—a
—a
—a
—a
user entity (either process or machine),
network, a communication environment,
computing environment, or
stand-alone system.
24
Security Perimeter
• A security perimeter as a homogeneous set of
tools and measures, established around some
communication and/or computing environment,
to protect it from the outside nonsecure
environment.
• In general, security perimeters can be
established around user, data processing and/or
application, data storage, and data
communication.
25
Security Domain
•
•
In practice, a security perimeter environment can be
constituted of (or subdivided to) several
heterogeneous security domains, each domain follows
the same measures of its parent perimeter plus some
possible extra measures.
A security domain is, therefore, a subset of users and
resources of the global security perimeter environment,
conforming to:
1.
2.
3.
4.
a unique security policy,
a single logical security management,
a single security administration,
a set of uniformly available elementary mathematical
macros for provision of security services and
mechanisms.
26
Domain Relationships
• Entities that are subject to a single security policy, grouped together
logically or physically, and administered by a single authority, called
security management system (SMS), constitute a security domain.
• The approach of structuring the boundaries of domains leads to
various relationships between domains.
• Domains may be disjoint, overlapping, or subsets of other domains.
27
Security Perimeters and Domains
• Each domain may be served by a central Security Management Center
(SMC), which will be responsible for the policy making, management,
and control of security services and activity on the network.
• Some negotiation and resolutions is necessary in order to establish
common sets and levels of security parameters.
28
Confidentiality Using
Symmetric Encryption
29
Confidentiality
• Traditionally symmetric encryption is used to
provide message confidentiality
• Confidentiality has been the main goal of
encryption
• Other considerations added in the past few
decades:
—Authentication
—Integrity
—Digital signature
30
Points of Vulnerability
2
3
4
1
1.
2.
3.
4.
snooping from another
workstation
use dial-in to LAN or
server to snoop
use external router link
to enter & snoop
monitor and/or modify
traffic on external links
31
Potential Vulnerability
• consider typical scenario
•
— workstations on LANs access other workstations &
servers on LAN
— LANs interconnected using switches/routers
— with external lines or radio/satellite links
consider attacks and placement in this scenario
1.
2.
3.
4.
snooping from another workstation
use dial-in to LAN or server to snoop
use external router link to enter & snoop
monitor and/or modify traffic on external links
32
What to Encrypt?
• have two major placement alternatives
• link encryption
—encryption occurs independently on every link
—implies must decrypt traffic between links
—requires many devices, but paired keys
• end-to-end encryption
—encryption occurs between original source and final
destination
—need devices at each end with shared keys
33
Encrypt Across a Packet Network
34
Disadvantage of Link Encryption
• One disadvantage of link encryption approach is
that the message must be decrypted each time
it enters a packet switch.
• This is necessary because the packet switch
must read the address (i.e., the virtual circuit
number) in the packet header to route the
packet.
• Thus, the message is vulnerable at each switch.
If this is a public packet-switching network
(PSN), the user has no control over the security
of the nodes.
35
Disadvantage of End-to-End Encryption
• End-to-end approach would seem to secure the
transmission against attacks on the network
links or switches.
• when using end-to-end encryption must leave
headers in clear (unencrypted)
—so network can correctly route information
• hence although contents protected, traffic
pattern flows are not (as they can be read)
36
End-to-End vs. Link Encryption
• With end-to-end encryption, the user data are
secure. However, the traffic pattern is not,
because packet headers are transmitted in the
clear.
• To achieve greater security, both link and endto-end encryption are needed.
• Ideally we want both at once
—end-to-end protects data contents over entire path
and provides authentication
—link protects traffic flows from monitoring but it
requires a lot of encryption devices
37
End-to-End vs. Link Encryption (cont.)
38
Logical Placement of Encryption
• can place encryption function at various layers
in OSI Reference Model
—link encryption occurs at layers 1 or 2
—end-to-end can occur at layers 3, 4, 6, 7
– E.g. the user data portion of all frames in ATM cells is
encrypted
—as move higher less information is encrypted but it is
more secure though more complex with more entities
and keys
39
Using an Encryption Processor
• In network layer (layer 3):
— each end system can engage in an encrypted
exchange with another end system.
—All the user processes and applications within each
end system would employ the same encryption
scheme with the same key to reach a particular
target end system.
—With this arrangement, it is desirable to off-load the
encryption function to some sort of front-end
processor.
40
Front-End Encryption Processor
• The front-end processor (FEP) accepts and
processes the packet
—Red data: unencrypted (in clear)
—Black data: encrypted
41
Scope of Encryption
• Encryption service on end-to-end protocols (e.g.
frame-delay or TCP) provides end-to-end
security for traffic within a fully integrated internetwork.
• Such scheme cannot deliver the security service
to the traffic that crosses inter-network
boundaries, such as electronic mail, electronic
data interchange (EDI) and file transfer.
42
Scope of Encryption in OSI
Application
Layer
43
Scope of Encryption in OSI (cont.)
• For applications like electronic mail that have a storeand-forward capability, the only place to achieve end-toend encryption is at the application layer.
• A drawback of the application layer encryption is that
the number of entities to consider increases
dramatically, e.g.
— Supporting hundreds of hosts
— Supporting thousands of users
— Need to manage (generate and distribute) many more secret
keys
• As we move up in the communication hierarchy, less
information is encrypted but it is more secure.
44
Encryption and Protocol Levels
• In application level:
— Only user data portion of a TCP segment is encrypted
• In transport/session (TCP) level:
— the user data and the TCP header are encrypted. The IP header
is needed by router to route the IP datagram.
45
Encryption and Protocol Levels (cont.)
• When a message passes through a gateway:
— TCP header is terminated and a new transport connection is
opened for the next hop
— The gateway is treated as a destination by the underlying IP.
Thus, all data is decrypted in gateway.
— If the next hop is over TCP/IP, then the user data and TCP
header are encrypted again.
46
Encryption and Protocol Levels (cont.)
• In link level:
—Entire data unit except for the link header and trailer
is encrypted on each link.
—The entire data unit is in the clear (unencrypted) at
each router or gateway.
47
Traffic Analysis
• is monitoring of communications flows between parties
— useful both in military & commercial spheres
— can also be used to create a covert channel (using the
communication channel in a way that violates the security
policy, e.g. an employee sends a short message as “0” and a
long message as “1”. If an outsider can monitor the channel
they effectively established a covert channel)
• Traffic analysis violates confidentiality since by
monitoring length, duration etc. of communication one
can find useful information like:
— Identity of partners
— How frequently they communicated
— Message pattern, level of importance
— Correlation between events and communication
—…
48
A Solution to Traffic Analysis
• link encryption obscures header details
— but overall traffic volumes in networks and at end-points is still
visible
• Traffic padding:
— Generate random messages (even if there is none)
— Uniform the length of messages at the transport/application
level
• traffic padding can further obscure flows
— but at cost of continuous traffic
49
A Solution to Traffic Analysis (cont.)
• Protecting end-to-end encryption against traffic
analysis is more difficult.
• Since two sides should do encryption and
decryption, the choices to defend against traffic
analysis is more limited.
• Still you can obscure the underlying traffic by:
—Padding out data units to a uniform length at
transport or application layer
—Inserting null messages into the stream randomly
50
Key Distribution
51
Symmetric Encryption
• All of the methods discusses so far use a single key that must be
strictly kept secret. These systems are called symmetric-encryption
(or secret-key or private-key) systems.
• Key distribution is still a challenge. One approach is based on
sending pieces of key through separate channels.
52
Importance of Key Distribution
• symmetric schemes require both parties to
share a common secret key
• issue is how to securely distribute this key
• often secure system failure due to a break in the
key distribution scheme
53
Key Distribution Mechanisms
•
given parties A and B, there are various key
distribution alternatives:
1. A can select key and physically deliver to B
2. third party can select & deliver key to A & B
3. if A & B have communicated previously can use
previous key to encrypt a new key
4. if A & B have secure communications with a third
party C, C can relay key between A & B
•
For practical large distributed systems in which
many links/hosts/users need to exchange keys
option 4 is the answer.
54
Key Distribution Mechanisms (cont.)
• Link Encryption: Use
methods (1) or (2)
because only two devices
communicate.
• End-to-end Encryption:
— Manual delivery is not
possible due to exponential
growth.
— At the network/IP level a
key is needed for each pair
of hosts. (For N hosts, we
need N(N-1)/2 keys).
— At the application level a
key is needed for every
pair of users/processes.
(e.g. 1000 nodes require
C21000≈500000 keys)
55
Key Distribution Mechanisms (cont.)
• (3) Can be used for both link and
end-to-end encryptions. However,
if an attacker find one key then all
subsequent keys will be revealed.
• (4) is widely used for end-to-end
encryption using at least 2-levels
of keys:
— Session key: a temporary key
for the duration of logical
connection (e.g. transport
connection)
— Master key: is used to encrypt
and send session keys. It is
distributed in some noncryptographic way (e.g.
physical delivery). For N pairs
only N master keys are needed.
56
Key Distribution Scenario
57
Key Distribution Scenarios (cont.)
1. A issues a request to KDC for a session key.
The message includes the identity of A and B
and N1 (called nonce, e.g. a random number).
2. KDC responds with a message encrypted with
Ka (master key of A). The message includes:
•
•
•
One-time session key Ks.
Original request and nonce of A
Ks and identifier of A (e.g. A’s network address)
encrypted with Kb
3. A stores Ks and send EKb(Ks||IDA) to B
4. Using Ks, B sends a nonce N2 to A.
5. Using Ks A responds f(N2) (a transformation of
N2 e.g. N2+1) for authentication.
58
Key Distribution Scenarios (cont.)
•
Note that the actual key distribution involves
only steps 1 through 3.
— After step 3, both A and B have the session key Ks
and they may begin their protected exchange of
information.
•
Steps 3, 4 and 5 together perform an
authentication function.
— They assume B that the original message it received
in step 3 was not a replay.
59
Key Distribution Issues
• hierarchies of KDC’s required for large networks,
but must trust each other
• session key lifetimes should be limited for
greater security
• use of automatic key distribution on behalf of
users, but must trust system
• use of decentralized key distribution
• controlling purposes keys are used for
60
Automatic Key Distribution
• For connection-oriented protocols (e.g. at network or
transport levels) the key can be generated, using FrontEnd Processor, in a way that is transparent to the end
user.
61
Automatic Key Distribution (cont.)
• The KDC provides a one-time session key for that
connection. The session keys are used for the duration
of a session. At the conclusion of the session, or
connection, the session key is destroyed.
• The automated key distribution approach provides the
flexibility and dynamic characteristics needed to allow a
number of terminal users to access a number of hosts
and for the hosts to exchange data with each other.
• Kerberos, used extensively in Microsoft Windows 2000, is
modelled on a KDC.
62
Difficulties in Key Distribution
• In general, a KDC supporting n sites, where each site
needs a secret key with every other site, must make
almost n2/2 keys.
• The KDC is often burdened with extensive key
management and can become a bottleneck.
• If the KDC also acts as a key escrow agent, the KDC
itself is an attractive target (e.g., for a distributed denialof-service attack).
• For these reasons, the symmetrical encryption is not
very attractive in large networks and is avoided
altogether.
• Another approach to security is the public-key
encryption, which makes key distribution much easier.
We will discuss it in the next chapter.
63
Decentralized Key Control
•
For small networks we may use a decentralized approach.
Each node must maintain n-1 master keys.
1. A issues a request to B for a session key and includes a
nonce N1.
2. B responds with a message that is encrypted using the
shared master key (MKm). The response includes: the
session key (Ks chosen by B), an identifier of B, value f(N1)
and another nonce N2.
3. Using the new session key A returns f(N2) to B for
authentication.
64
Controlling Key Usage
•
Sometimes it is useful to define different session keys
on the basis of use (for various applications)
— e.g. for communication, PIN-encrypted applications, file
encryption, etc.
•
•
It’s often desirable to institute controls in systems that
limit the ways in which keys are used, based on
characteristics associated with those keys.
Method 1: Use a tag with each key
— In DES, the actual key is 56 bits. 8 nonkey bits are used to
indicate something, e.g.
– 1 bit indicate whether the key is a session key or a Master key
– 1 bit indicate whether it’s for encryption or decryption
– …
— Two problems: 1) the length is limited and 2) the tag is not
transmitted in clear form it can be used only at the point of
decryption, limiting the ways in which the key can be controller.
65
Controlling Key Usage (cont.)
•
Method 2: Use control vector (CV).
— KDC sends control vector in clear and can be used in any stage.
— For master key Km and session key Ks :
Hash Value= H = h(CV)
Key Input
= Km XOR H
Ciphertext
= EKm XOR H [Ks]
Ks
= DKm XOR H [EKm XOR H [Ks]
•
•
There is no restriction on length which enables
arbitrarily complex controls to be imposed on each key
The control vector is available in clear form at all stages
of operation. Thus, the control of key use can be
exercised in multiple locations.
66
Controlling Key Usage (cont.)
•
To control some of the bits (for identification or
hierarchy, etc.) a control vector is used. KDC sends
control vector in clear and can be used in any stage.
67
Random Numbers
68
Importance of Random Numbers
• many uses of random numbers in
cryptography
—nonces in authentication protocols to prevent replay
(attacker stores old messages and replays them to
fake his ID and get session key for A)
—session keys
—public key generation
—Key stream for a one-time pad
• in all cases its critical that these values be
—statistically random
– with uniform distribution, independent
—unpredictable cannot infer future sequence on
previous values
69
Natural Random Noise
• best source is natural randomness in real world
• find a regular but random event and monitor
• do generally need special hardware to do this
—e.g. radiation counters, radio noise, audio noise,
thermal noise in diodes, leaky capacitors, mercury
discharge tubes etc
• starting to see such hardware in new CPU's
• problems of bias or uneven distribution in signal
—have to compensate for this when sample and use
—best to only use a few noisiest bits from each sample
70
Published Sources
• a few published collections of random numbers
• earlier Tippett in 1927 published a collection
• Rand Co, in 1955, published 1 million numbers
—generated using an electronic roulette wheel
—has been used in some cipher designs, e.g. Khafre
• issues are that:
—these are limited
—too well-known for most uses
71
Pseudorandom Number Generators (PRNGs)
• For cryptography applications we need a
deterministic algorithm to generate
pseudorandom numbers.
• how a deterministic algorithm generates random
values?
—A philosophical objection; not engineers’ concern
• algorithmic technique to create “random
numbers”
—although not truly random
—can pass many tests of “randomness”
72
Linear Congruential Generator
• common iterative technique using:
Xn+1 = (aXn + c) mod m
where m>0 and 0≤a,c,Xn<m
— X0 is the seed
— m must be very large to have a long sequence
• given suitable values of parameters can produce
a long random-like sequence
• suitable criteria to have are:
—function generates a full-period
—generated sequence should appear random
—efficient implementation with 32-bit arithmetic
• note that an attacker can reconstruct sequence
given a small number of value
73
Practical Pseudorandom Generator
• common iterative technique using:
Xn+1 = (16807Xn) mod (231-1)
—If m is prime and c=0, the period of generating
numbers is m-1
—To be efficient in implementation we chose 232-1.
—Coefficient a=75=16807 generates very good random
sequence and is widely used.
• If an opponent is able to get X0, X1, X2, X3 these
three equations can be solved for a, c and m.
• To create unpredictability, use current clock mod
m as the new seed to change the sequence
every N numbers.
74
Using Block Ciphers as Stream Ciphers
• can use block cipher to generate numbers
• use Counter Mode
Xi = EKm[i]
• use Output Feedback Mode
Xi = EKm[Xi-1]
75
Using Counter Mode
• use Counter Mode
Xi = EKm[i]
• The counter has
period of N , e.g. 256
when 56-bit DES keys
are used
• Since the master key
is protected it is not
possible to deduce
the secret key from
earlier keys
76
Using Output Feedback Mode
• The output of each stage is a 64-bit value of which
the s leftmost bits are fed back for encryption.
• Successive 64-bit outputs constitute a sequence of
pseudorandom numbers with good statistical
properties.
77
ANSI X9.17 Pseudorandom Number Gen.
• ANSI X9.17 PRNG
— uses date-time + seed inputs and
3 triple-DES encryptions to
generate new seed & random
• Input: two pseudorandom inputs:
— DTi : a 64-bit representation of
the current date/time
— a 64-bit seed Vi generated at the
beginning of ith stage
• Keys (K1,K2): all 3DES modules
use the same pair of 56-bit keys
• Output: 64-bit pseudorandom
number (Ri) and 64-bit seed value
(Vi+1)
— Ri = EDEK1,K2[Vi  EDEK1,K2[DTi]]
— Vi+1= EDEK1,K2[Ri  EDEK1,K2[DTi]]
78
Blum Blum Shub (BBS) Generator
• based on public key algorithms
• Choose:
— two prime numbers p,q such that p≡q≡3(mod 4)
— n=p.q
—a random number s (seed) such that it is relatively
prime to n (i.e. neither p nor q is a factor of s).
• The BBS generates sequence of bits Bi as
follows:
X0=s2 mod n
For i=1 to ∞
Xi=(Xi-1)2 mod n (All Xi is a number 0 ≤ Xi < n )
Bi=Xi mod 2
(Bi is least significant bit of Xi)
79
Features of BBS Generator
• unpredictable, passes next-bit test
(see table for n=192649=283x503
and s=101355).
• security rests on difficulty of
factoring n (i.e. given n determine
its two prime factors p and q)
• is unpredictable given any run of
bits (given k bits of the sequence it
is impossible to determine bit k+1
with probability above ½)
• slow, since very large numbers must
be used
• too slow for cipher use, good for key
generation
i
80
Summary
• have considered:
—use of symmetric encryption to protect confidentiality
—need for good key distribution
—use of trusted third party KDC’s
—random number generation
81