Transcript ppt
Chapter 8
Network Security
(some reviews and security protocols)
These ppt slides are originally from the Kurose and Ross’s
book. But some slides are deleted and added for my own
purpose, and some of them are modified.
8: Network Security
8-1
What is network security?
Confidentiality: only sender, intended receiver
should “understand” message contents
Authentication: sender, receiver want to confirm
identity of each other
Message Integrity: sender, receiver want to ensure
message not altered (in transit, or afterwards)
without detection
Message repudiation: sender cannot deny that he
really sent the message.
Access and Availability: services must be accessible
and available to users
8: Network Security
8-2
What we have to consider
Cryptography
Cryptography algorithms
Network security protocols
Security for individual attacks
Ex. Web security
8: Network Security
8-3
The language of cryptography
Alice’s
K encryption
A
key
plaintext
encryption
algorithm
ciphertext
Bob’s
K decryption
B key
decryption plaintext
algorithm
symmetric key crypto: sender, receiver keys identical
public-key crypto: encryption key public, decryption key
secret (private)
8: Network Security
8-4
Cryptography algorithms
Symmetric key algorithms
DES (Data Encryption Standard)
AES (Advanced Encryption Standard)
Asymmetric key algorithms
RSA
Diffie-Hellman
Two parties create a symmetric session key to
exchange data without having to store the key
for future use.
8: Network Security
8-5
Symmetric key cryptography
substitution cipher: substituting one thing for another
monoalphabetic cipher: substitute one letter for another
plaintext:
abcdefghijklmnopqrstuvwxyz
ciphertext:
mnbvcxzasdfghjklpoiuytrewq
E.g.:
Plaintext: bob. i love you. alice
ciphertext: nkn. s gktc wky. mgsbc
Q: How hard to break this simple cipher?:
brute force (how hard?)
other?
8: Network Security
8-6
Symmetric key cryptography
KA-B
KA-B
plaintext
message, m
encryption ciphertext
algorithm
K (m)
A-B
decryption plaintext
algorithm
m = K ( KA-B(m) )
A-B
symmetric key crypto: Bob and Alice share know same
(symmetric) key: K
A-B
e.g., key is knowing substitution pattern in mono
alphabetic substitution cipher
Q: how do Bob and Alice agree on key value?
8: Network Security
8-7
Symmetric key crypto: DES
DES: Data Encryption Standard
US encryption standard [NIST 1993]
56-bit symmetric key, 64-bit plaintext input
How secure is DES?
DES Challenge: 56-bit-key-encrypted phrase
(“Strong cryptography makes the world a safer
place”) decrypted (brute force) in 4 months
no known “backdoor” decryption approach
making DES more secure:
use three keys sequentially (3-DES) on each datum
use cipher-block chaining
8: Network Security
8-8
Symmetric key
crypto: DES
DES operation
initial permutation
16 identical “rounds” of
function application,
each using different
48 bits of key
final permutation
8: Network Security
8-9
AES: Advanced Encryption Standard
new (Nov. 2001) symmetric-key NIST
standard, replacing DES
processes data in 128 bit blocks
128, 192, or 256 bit keys
brute force decryption (try each key)
taking 1 sec on DES, takes 149 trillion
years for AES
8: Network Security
8-10
Public Key Cryptography
symmetric key crypto
requires sender,
receiver know shared
secret key
Q: how to agree on key
in first place
(particularly if never
“met”)?
public key cryptography
radically different
approach [DiffieHellman76, RSA78]
sender, receiver do
not share secret key
public encryption key
known to all
private decryption
key known only to
receiver
8: Network Security
8-11
Public key cryptography
+ Bob’s public
B key
K
K
plaintext
message, m
encryption ciphertext
algorithm
+
K (m)
B
- Bob’s private
B key
decryption plaintext
algorithm message
+
m = K B(K (m))
B
8: Network Security
8-12
Public key encryption algorithms
Requirements:
1
2
+
need K ( ) and K - ( ) such that
B
B
- +
K (K (m)) = m
B B
.
.
+
given public key KB , it should be
impossible to compute
private key KB
RSA: Rivest, Shamir, Adelson algorithm
8: Network Security
8-13
RSA: Choosing keys
1. Choose two large prime numbers p, q.
(e.g., 1024 bits each)
2. Compute n = pq, z = (p-1)(q-1)
3. Choose e (with e<n) that has no common factors
with z. (e, z are “relatively prime”).
4. Choose d such that ed-1 is exactly divisible by z.
(in other words: ed mod z = 1 ).
5. Public key is (n,e). Private key is (n,d).
+
KB
-
KB
8: Network Security
8-14
RSA: Encryption, decryption
0. Given (n,e) and (n,d) as computed above
1. To encrypt bit pattern, m, compute
e
e
c = m mod n (i.e., remainder when m is divided by n)
2. To decrypt received bit pattern, c, compute
d
m = c d mod n (i.e., remainder when c is divided by n)
Magic
d
m = (m e mod n) mod n
happens!
c
8: Network Security
8-15
RSA example:
Bob chooses p=5, q=7. Then n=35, z=24.
e=5 (so e, z relatively prime).
d=29 (so ed-1 exactly divisible by z.
encrypt:
decrypt:
letter
m
me
l
12
1524832
c
17
d
c
481968572106750915091411825223071697
c = me mod n
17
m = cd mod n letter
12
l
8: Network Security
8-16
RSA: Why is that
m = (m e mod n)
d
mod n
Useful number theory result: If p,q prime and
n = pq, then:
y
y mod (p-1)(q-1)
x mod n = x
mod n
e
(m mod n) d mod n = medmod n
= m
ed mod (p-1)(q-1)
mod n
(using number theory result above)
1
= m mod n
(since we chose ed to be divisible by
(p-1)(q-1) with remainder 1 )
= m
8: Network Security
8-17
RSA: another important property
The following property will be very useful later:
-
+
B
B
K (K (m))
+ = m = K (K (m))
B B
use public key
first, followed
by private key
use private key
first, followed
by public key
Result is the same!
8: Network Security
8-18
Why is RSA Secure?
Suppose you know Alice’s public key (n,e).
How hard is it to determine d?
Essentially need to find factors of n
without knowing the two factors p and q.
Fact: factoring a big number is hard.
Generating RSA keys
Have to find big primes p and q
Approach: make good guess then apply
testing rules (see Kaufman)
8: Network Security
8-19
RSA is slow
Exponentiation is computationally intensive
DES is at least 100 times faster than RSA
Session key, KS
Bob and Alice use RSA to exchange a symmetric
key KS
Once both have KS, they use DES
8: Network Security
8-20
Message authentication and
integrity
Cryptographic algorithms are also used for
message authentication and integrity.
8: Network Security
8-21
Message Digests
Function H( ) that takes as
input an arbitrary length
message and outputs a
fixed-length strength:
“message signature”
Note that H( ) is a manyto-1 function
H( ) is often called a “hash
function”
large
message
m
H: Hash
Function
H(m)
Desirable properties:
Easy to calculate
Irreversibility: Can’t
determine m from H(m)
Collision resistance:
Computationally difficult
to produce m and m’ such
that H(m) = H(m’)
Seemingly random output
8: Network Security
8-22
Hash Function Algorithms
MD5 hash function widely used (RFC 1321)
computes 128-bit message digest in 4-step
process.
arbitrary 128-bit string x, appears difficult to
construct msg m whose MD5 hash is equal to x.
SHA-1 is also used.
US standard [NIST, FIPS PUB 180-1]
160-bit message digest
8: Network Security
8-23
H( )
MAC
message
message
m
message
Message Authentication Code (MAC)
MAC
H( )
compare
MDm
Notation: MDm = H(m) ; MAC = K(H(m)); send {m||MAC}
8: Network Security
8-24
MAC
Message digest hashed from a message
provides the integrity of the message, but
not the authenticity of the sender.
MAC is distinguished from message
digest(MD) in the way that MAC takes
message and symmetric key as inputs and
generates the small block of data as
output(so is called keyed hash).
8: Network Security
8-25
Digital Signatures
Cryptographic technique analogous to handwritten signatures.
sender (Bob) digitally signs document,
establishing he is document owner/creator.
verifiable, nonforgeable: recipient (Alice) can
prove to someone that Bob, and no one else
(including Alice), must have signed document
Digital signature uses the asymmetric key
algorithms.
8: Network Security
8-26
Digital Signatures
Simple digital signature for message m:
Bob signs m by encrypting with his private key
-
KB, creating “signed” message, KB(m)
Bob’s message, m
Dear Alice
Oh, how I have missed
you. I think of you all the
time! …(blah blah blah)
Bob
K B Bob’s private
key
Public key
encryption
algorithm
-
K B(m)
Bob’s message,
m, signed
(encrypted) with
his private key
8: Network Security
8-27
Digital Signatures (more)
-
Suppose Alice receives msg m, digital signature KB(m)
Alice verifies m signed by Bob by applying Bob’s
+
-
+
-
public key KB to KB(m) then checks KB(KB(m) ) = m.
+
-
If KB(KB(m) ) = m, whoever signed m must have used
Bob’s private key.
Alice thus verifies that:
Bob signed m.
No one else signed m.
Bob signed m and not m’.
Non-repudiation:
Alice can take m, and signature KB(m) to
court and prove that Bob signed m.
8: Network Security
8-28
Message Digests
Computationally expensive
to public-key-encrypt
long messages
Goal: fixed-length, easyto-compute digital
“fingerprint”
apply hash function H
to m, get fixed size
message digest, H(m).
large
message
m
H: Hash
Function
H(m)
Hash function properties:
many-to-1
produces fixed-size msg
digest (fingerprint)
given message digest x,
computationally
infeasible to find m such
that x = H(m)
8: Network Security
8-29
Digital signature = signed message digest
Alice verifies signature and
integrity of digitally signed
message:
Bob sends digitally signed
message:
large
message
m
H: Hash
function
Bob’s
private
key
+
-
KB
encrypted
msg digest
H(m)
digital
signature
(encrypt)
encrypted
msg digest
KB(H(m))
large
message
m
H: Hash
function
KB(H(m))
Bob’s
public
key
+
KB
digital
signature
(decrypt)
H(m)
H(m)
equal
?
8: Network Security
8-30
Key distribution
In the symmetric key algorithm, how can
only two parties have the key without it
being known to others?
In the asymmetric key algorithm, if
someone claims that it is my public key,
how can I trust that the key is really his
public key?
To solve this problem, we need to have the
trust base (starting point).
8: Network Security
8-31
Trusted Intermediaries
Symmetric key problem:
Public key problem:
How do two entities
When Alice obtains
establish shared secret
key over network?
Solution:
trusted key distribution
center (KDC) acting as
intermediary between
entities
Bob’s public key (from
web site, e-mail,
diskette), how does she
know it is Bob’s public
key, not Trudy’s?
Solution:
trusted certification
authority (CA)
8: Network Security
8-32
Key Distribution Center (KDC)
Alice, Bob need shared symmetric key.
KDC: server shares different secret key with each
registered user (many users)
Alice, Bob know own symmetric keys, KA-KDC KB-KDC , for
communicating with KDC.
KDC
KA-KDC KP-KDC
KP-KDC
KB-KDC
KA-KDC
KX-KDC
KY-KDC
KB-KDC
KZ-KDC
8: Network Security
8-33
Key Distribution Center (KDC)
Q: How does KDC allow Bob, Alice to determine shared
symmetric secret key to communicate with each other?
KA-KDC(A,B)
Alice
knows
R1
KDC
generates
R1
KA-KDC(R1, KB-KDC(A,R1) )
KB-KDC(A,R1)
Bob knows to
use R1 to
communicate
with Alice
Alice and Bob communicate: using R1 as
session key for shared symmetric encryption
8: Network Security
8-34
Certification Authorities
Certification authority (CA): binds public key to
particular entity, E.
E (person, router) registers its public key with CA.
E provides “proof of identity” to CA.
CA creates certificate binding E to its public key.
certificate containing E’s public key digitally signed by CA
– CA says “this is E’s public key”
Bob’s
public
key
Bob’s
identifying
information
+
KB
digital
signature
(encrypt)
CA
private
key
K-
CA
+
KB
certificate for
Bob’s public key,
signed by CA
8: Network Security
8-35
Certification Authorities
When Alice wants Bob’s public key:
gets Bob’s certificate (Bob or elsewhere).
apply CA’s public key to Bob’s certificate, get
Bob’s public key
+
KB
digital
signature
(decrypt)
CA
public
key
Bob’s
public
+
key
KB
+
K CA
8: Network Security
8-36
A certificate contains:
Serial number (unique to issuer)
info about certificate owner, including algorithm
and key value itself (not shown)
info about
certificate
issuer
valid dates
digital
signature by
issuer
8: Network Security
8-37
Security protocols
PGP: secure e-mail
SSL(TSL): http vs. https
SSH: telnet vs. SSH
Ipsec
WEB: wireless LAN
And so on
8: Network Security
8-38
Secure e-mail
Alice wants to send confidential e-mail, m, to Bob.
KS
m
K (.)
S
+
KS
+
.
K B( )
+
KS(m )
KS(m )
+
KB(KS )
.
KS( )
-
Internet
+
KB(KS )
KB
m
KS
-
.
K B( )
-
KB
Alice:
generates random symmetric private key, KS.
encrypts message with KS (for efficiency)
also encrypts KS with Bob’s public key.
sends both KS(m) and KB(KS) to Bob.
8: Network Security
8-39
Secure e-mail
Alice wants to send confidential e-mail, m, to Bob.
KS
m
K (.)
S
+
KS
+
.
K B( )
+
KS(m )
KS(m )
+
KB(KS )
.
KS( )
-
Internet
+
KB(KS )
KB
m
KS
-
.
K B( )
-
KB
Bob:
uses his private key to decrypt and recover KS
uses KS to decrypt KS(m) to recover m
8: Network Security
8-40
Secure e-mail (continued)
• Alice wants to provide sender authentication
message integrity.
+
-
KA
m
H(.)
-
.
KA( )
-
-
KA(H(m))
KA(H(m))
+
Internet
m
KA
+
.
KA( )
m
H(m )
compare
.
H( )
H(m )
• Alice digitally signs message.
• sends both message (in the clear) and digital signature.
8: Network Security
8-41
Secure e-mail (continued)
• Alice wants to provide secrecy, sender authentication,
message integrity.
-
KA
m
.
H( )
-
.
KA( )
-
KA(H(m))
+
KS
.
KS( )
+
m
KS
+
.
K B( )
+
Internet
+
KB(KS )
KB
Alice uses three keys: her private key, Bob’s public
key, newly created symmetric key
8: Network Security
8-42
Pretty good privacy (PGP)
Internet e-mail encryption
scheme, de-facto standard.
uses symmetric key
cryptography, public key
cryptography, hash
function, and digital
signature as described.
provides secrecy, sender
authentication, integrity.
inventor, Phil Zimmerman,
was target of 3-year
federal investigation.
A PGP signed message:
---BEGIN PGP SIGNED MESSAGE--Hash: SHA1
Bob:My husband is out of town
tonight.Passionately yours,
Alice
---BEGIN PGP SIGNATURE--Version: PGP 5.0
Charset: noconv
yhHJRHhGJGhgg/12EpJ+lo8gE4vB3mqJ
hFEvZP9t6n7G6m5Gw2
---END PGP SIGNATURE---
8: Network Security
8-43
SSL: Secure Sockets Layer
Most widely deployed
security protocol
Supported by almost all
browsers and web servers
https
Tens of billions $ spent
per year over SSL
Originally designed by
Netscape in 1993
Number of variations:
TLS: transport layer
security, RFC 2246
SSL v3.0 = TLS v1.0
Provides
Confidentiality
Integrity
Authentication
Original goals:
Had Web e-commerce
transactions in mind
Encryption (especially
credit-card numbers)
Web-server
authentication
Optional client
authentication
Minimum hassle in doing
business with new
merchant
Available to all TCP
applications
Secure socket interface
8: Network Security
8-44
SSL and TCP/IP
Application
TCP
Application
SSL
TCP
IP
IP
Normal Application
Application
with SSL
• SSL provides application programming interface (API)
to applications
• C and Java SSL libraries/classes readily available
8: Network Security
8-45
Could do something like PGP:
-
KA
m
.
H( )
-
.
KA( )
-
KA(H(m))
+
KS
.
KS( )
+
m
KS
+
.
K B( )
+
Internet
+
KB(KS )
KB
• But want to send byte streams & interactive data
•Want a set of secret keys for the entire connection
• Want certificate exchange part of protocol:
handshake phase
8: Network Security
8-46
Real SSL: Handshake (1)
Purpose
1. Server authentication
2. Negotiation: agree on crypto algorithms
3. Establish keys
4. Client authentication (optional)
8: Network Security
8-47
Real SSL: Handshake (2)
1.
2.
3.
4.
5.
6.
Client sends list of algorithms it supports, along
with client nonce
Server chooses algorithms from list; sends back:
choice + certificate + server nonce
Client verifies certificate, extracts server’s
public key, generates pre_master_secret,
encrypts with server’s public key, sends to server
Client and server independently compute
encryption and MAC keys from
pre_master_secret and nonces
Client sends a MAC of all the handshake messages
Server sends a MAC of all the handshake
messages
8: Network Security
8-48
handshake
Client’s nonce
Pre-master secret
Server’s nonce
generator
Master secret
generator
Server’s
MAC key
Server’s
encryption key
Server’s
IV
client’s
MAC key
client’s
encryption key
client’s
IV
8: Network Security
8-49
Real SSL: Handshaking (3)
Last 2 steps protect handshake from tampering
Client typically offers range of algorithms,
some strong, some weak
Man-in-the middle could delete the stronger
algorithms from list
Last 2 steps prevent this
Last two messages are encrypted
8: Network Security
8-50
SSL Record Protocol
data
data
fragment
record
header
data
fragment
MAC
encrypted
data and MAC
record
header
MAC
encrypted
data and MAC
record header: content type; version; length
MAC: includes sequence number, MAC key Mx
Fragment: each fragment 214 bytes
8: Network Security
8-51
SSL Record Format
1 byte
content
type
2 bytes
2 bytes
SSL version
length
data
MAC
Data and MAC encrypted (symmetric algo)
8: Network Security
8-52
Content types in record header
application_data (23)
alert (21)
signaling errors during handshake
signal connection closure
handshake (22)
initial handshake messages are carried in
records of type “handshake”
change_cipher_spec (20)
indicates change in encryption and
authentication algorithms
8: Network Security
8-53
Real
Connection
TCP Fin follow
8: Network Security
8-54
Key derivation
Client random, server random, and pre-master
secret input into pseudo random-number
generator.
Produces master secret
Master secret, client and server random numbers
into another random-number generator
Produces “key block”
Key block sliced and diced:
client MAC key
server MAC key
client encryption key
server encryption key
client initialization vector (IV)
server initialization vector (IV)
8: Network Security
8-55