Transcript ch8

COM 360
1
Chapter 8
Network Security
2
Need For Security
• Motivation: Why do we need security?
• Increased reliance on Information technology with or with out
the use of networks
• The use of IT has changed our lives drastically.
• We depend on E-mail, Internet banking, and several other
governmental activities that use IT
• Increased use of E-Commerce and the World wide web on the
Internet as a vast repository of various kinds of information
(immigration databases, flight tickets, stock markets etc.)
3
Need For Security
• Damage to any IT-based system or activity can result in
severe disruption of services and losses
• Systems connected by networks are more prone to attacks
and also suffer more as a result of the attacks than standalone systems (Reasons?)
• Concerns such as the following are common
– How do I know the party I am talking on the network is really the
one I want to talk?
– How can I be assured that no one else is listening and learning the
data that I send over a network
– Can I ever stay relaxed that no hacker can enter my network and
play havoc?
4
More Security Concerns
• Is the web site I am downloading information
from a legitimate one, or a fake?
• How do I ensure that the person I just did a
financial transaction denies having done it
tomorrow or at a later time?
• I want to buy some thing online, but I don’t want
to let them charge my credit card before they
deliver the product to me.
5
That is why…
• ..we need security
– To safeguard the confidentiality, integrity,
authenticity and availability of data transmitted over
insecure networks
– Internet is not the only insecure network in this world
– Many internal networks in organizations are prone to
insider attacks
– In fact, insider attacks are greater both in terms of
likelihood of happening and damage caused.
6
Network Security
• Unless security measures are taken, a network
conversation or a distributed application may be
compromised by an adversary (or “black hat”).
• For example eavesdropping: how is this done?
• On an Ethernet, any node can be configured to receive
all the traffic.
• Wireless communication can be monitored without a
physical connection.
• More elaborate approaches include wiretapping or
planting spy ware on on nodes.
7
Taxonomy of Network Security
Security
Cryptography
algorithms
Secret
key
(e.g., DES)
Public
key
(e.g., RSA)
Security
services
Message
digest
(e.g., MD5)
Privacy
Authentication
Message
integrity
8
Threats and Solutions
•
•
•
•
•
Confidentiality and Integrity
Authentication
Access control
Denial of Service (DoS) and Availability
Non-repudiation
9
Security Threats and Attacks
10
Security Attacks
• Interruption: This is an attack on availability
– Disrupting traffic
– Physically breaking communication line
• Interception: This is an attack on confidentiality
– Overhearing, eavesdropping over a communication
line
11
Security Attacks
• Modification: This is an attack on integrity
– Corrupting transmitted data or tampering with it
before it reaches its destination
• Fabrication: This is an attack on authenticity
– Faking data as if it were created by a legitimate
and authentic party
12
Passive Attacks
13
Passive Attacks-Traffic Analysis
14
Active Attacks-Masquerade
15
Active Attacks- Replay
16
Types of Threats
• Information access threats
– Intercept or modify data on behalf of users who
should not have access to that data.
– E.g. corruption of data by injecting malicious code
• Service threats
– Exploit service flaws in computers to inhibit use by
legitimate uses.
– E.g. disabling authentication, denial of service (DoS)
17
Security Goals
Confidentiality
Integrity
Availability
18
Confidentiality and Integrity
• Encrypting messages provides confidentiality, because
the contents of a message cannot be easily understood.
• Concealing the quantity or destination of
communications is called traffic confidentiality.
• A protocol that detects message tampering provided data
integrity. The adversary could transmit an extra copy of
your message in a replay attack.
• A protocol that detects replays provides originality.
• A protocol that detects delaying tactics provides
timeliness.
• Data integrity, originality, and timeliness are all aspects
19
of integrity.
Authentication
• Another threat to a customer is unknowingly being
directed to a false web site often used in “phishing”attempting to gather your personal information.
• This results from a DNS attack in which false
information is entered into a domain name server or
into the name service cache of the customer’s computer,
causing a correct URL to be is translated into an
incorrect IP address.
• A protocol that ensures that you are communicating
with the host/person you think you are sending to is
authentication.
20
Access Control and Availability
• The owner of the web site can be attacked. The
contents or format can be remotely accessed,
modified, destroyed without authorization.
• This is an issue of access control: enforcing
the rules of who is allowed to do what.
• Web site have been subject to denial of service
attacks (DoS), during which users cannot
access it because of numerous bogus requests.
Ensuring a degree of access is called
availability.
21
Non-repudiation
• Both the customer and the web site face threats
form each other.
• Each can deny that a transaction occurred, or
invent a nonexistent transaction.
• Non-repudiation means that a bogus denial
repudiation of a transaction can be disproved and
nonforgeability means that claims of a bogus
(forged) transaction can be disproved.
22
Cryptographic Tools
• Cryptographic algorithms – ciphers and
cryptographic hashes are building blocks of a
solution.
• Then the keys, or secret parameters input into the
algorithms, need to be distributed securely.
• These need to be incorporated into the protocols
that provide secure communications between
those who possess the correct keys.
23
Principles of Ciphers
• Encryption transforms a message in such a way
that it becomes unintelligible to anyone who
cannot reverse the transformation.
• Sender applies an encryption function to a
plaintext message, resulting in a cipher text
message that is sent over the network.
• Receiver applies a secret decryption functionthe inverse of the encryption function- to
recover the original message.
24
Symmetric Key Encryption
and Decryption
Plaintext
Plaintext
Encrypt w ith
secret key
Decrypt w ith
secret key
Ciphertext
Example: Caesar cipher
25
Principles of Ciphers
• The cipher text, transmitted across the
network (in binary) is unintelligible to
anyone eavesdropping on the network, who
does not know the decipher function.
• The transformation represented by the
encryption and its corresponding decryption
function is called a cipher.
26
Principles of Ciphers
• Since 1883 cryptographers have used the basic principle
that the encryption and decryption functions should be
parameterized by a key and that the functions should be
public knowledge- only the key must be secret.
• The cipher text produced for a given plaintext message
depends on both the encryption function and the key.
• Basic requirement is that encrypted messages cannot be
read by those who do not know the key.
• It is easy to encode, but hard (nearly impossible to
decode).
• If a key has n bits there are 2n possible values- thus large
27
keys are used.
Average time required for
exhaustive key search
Key Size
(bits)
Number of
Alternative Keys
Time required at 106
Decryption/µs
32
232 = 4.3 x 109
2.15 milliseconds
56
256 = 7.2 x 1016
10 hours
128
2128 = 3.4 x 1038
5.4 x 1018 years
168
2168 = 3.7 x 1050
5.9 x 1030 years
28
Conventional Encryption
Principles
29
Ciphers
• Block ciphers- defined to take input as a block of (64 to
128) bits. Called electronic codebook (ECB) mode
encryption, it has the weakness that the same plaintext
will always produce the same cipher text block.
Recurring sequences will make it easier to decode.
• The are modes of operation that make the cipher text
vary. Cipher block chaining XOR’s each plaintext block
with the cipher text of the previous one (except the 1st,
which is randomly generated.)
30
Cipher Block Chaining(CBC)
Plaintext
Plaintext
Encrypt w ith
public key
Decrypt w ith
private key
Ciphertext
31
Cipher Block Chaining(CBC)
Plaintext block 3
Plaintext block 2
Plaintext block 1
Plaintext block 0
Encryption
Function
XOR
Blocks of
Cipher text
Initialization vector
32
Secret or Symmetric Key Ciphers
• In symmetric-key ciphers, both parties share the same
key, which is used both for encryption and decryption.
• These are also called private-key or secret-key ciphers,
because the key must remain secret.
• Data Encryption Standard (DES) was the first of these
and used 56 bit keys (now too small with fast processors
to decode).
• 1999 DES should only be used for legacy systems.
33
Secret or Symmetric Key Ciphers
• DES encrypts a 64 bit block using a 64 bit key,
which contains 56 usable bits and 8 parity bits:
• DES has 3 phases:
– The 64 bits in the block are permuted ( shuffled)
– Sixteen rounds of identical operations are applied to the
resulting data and the key.
– The inverse of the original permutation is applied to the
result.
• During each round, the block is broken in half and
a different 48 bits are selected from the 56 bit key.
34
High-level outline of DES
Initial permutation
Round 1
Round 2
56-bit
key
Round 16
Final permutation
35
Manipulation At Each Round Of
DES
Li
─ 1
R
i
─ 1
F
K
i
+
L
i
Ri
F and K are functions (See formulas pp. 585-587).
36
Secret or Symmetric Key Ciphers
• Triple DES (3DES) uses the cryptanalysis-resistance of
DES and increases the key size to 168 bits (3*56) and
uses 3 keys. It is slow because it was originally designed
to be implemented in hardware.
• Replaced in 2001 by Advanced Encryption Standard
(AES), which support bit lengths of 128, 192, or 256 bits
and blocks of 128 bits.
• AES permits fast implementation in hardware and
software. It requires little memory and so can be used in
small mobile devices. It has proven mathematically
secure properties and has not been successfully attacked.
37
Public Key Encryption (RSA)
• Asymmetric or public-key ciphers are an alternative to
symmetric-key ciphers.
• A public-key cipher uses a pair of keys, one for
encryption and another one for decryption. The pair of
keys is “owned” by one participant.
• The owner keeps the decryption key secret so that only
the owner can decrypt messages. This key is the private
key.
• The encryption key is public so that anyone can encrypt
a message. This key is the public key.
38
39
Pubic Key Encryption (RSA)
• Public key ciphers are used primarily for Concept of
public-key ciphers was first published in 1976 by
Diffie and Hellman although the British and the US
National Security Agency (NSA) claim to have
discovered them as early as the mid 1960’s.
• authentication.
• RSA is best known, named after it developers: Rivest,
Shamir and Adleman.
• It relies on the high computational cost of factoring
very large prime numbers.It needs large keys (1024
bits or greater) to be secure. Slower than public keys
40
Security Mechanisms
• Cryptographic algorithms are just one part
of providing network security.
• We need a set of mechanisms and protocols
to authenticate participants, techniques for
assuring the integrity of messages and some
approaches to the problem of distributing
public keys.
41
Authenticators
• Encryption alone does not provide data
integrity. Nor does encryption alone provide
authentication.
• An authenticator is a value, to be included
with a transmitted message, that can be used
to verify simultaneously the authenticity
and the data integrity of the message.
42
Authenticators
• To support data integrity an authenticator includes
redundant information about the message contents.
(It is like a checksum or CRC).
• To support authentication, an authenticator includes
some proof that whoever created the authenticator
knows some “secret” that is only known to the
message sender.( For example, the secret could be a
key and the proof could be some value encrypted
using the key.)
43
Authentication
• There are three common protocols for
implementing authentication.
• Two use secret key cryptography (DES) and
the third uses public-key cryptography (RSA).
• During authentication, two participants
establish the session key that is used to
establish privacy during the communication.
44
Simple Three Way Handshake
• A simple authentication protocol is possible when two
participants who want to authenticate each otherthink of them as a client and server- already share a
secret key.
• The use a 3-way handshake, where E(m,k) denotes the
encryption of a message m with a key k and D(m,k)
denotes the decryption of the message. SHK is the
server handshake key.
• The client also decrypts a random number (y) sent by
the server and returns it to the server.
• Situation is similar to user(client) having an account
45
on a server, where both know the password.
Three Way Handshake
Client
Server
Protocol for authentication
46
Trusted Third Party
• Two participants may know nothing about
each other, but both may trust a third party.
• Third part is called an authentication
server and uses a protocol to help the two
parties authenticate each other.
• There are several different protocols.
Kerberos, developed at MIT, is a common
one.
47
KERBEROS
In Greek mythology, a many headed dog, the
guardian of the entrance of Hades
48
Kerberos
• Kerberos is a computer network
authentication protocol which allows
individuals communicating over an insecure
network to prove their identity to one
another in a secure manner.
• Kerberos prevents eavesdropping or replay
attacks, and ensures the integrity of the data.
49
Kerberos
• Uses symmetric key cryptography
• Requires a trusted third party, called a Key
Distribution Center (KDC)
– Authentication Server (AS)
– Ticket Granting Server (TGS)
• Based on “tickets” to prove the identity of
users
50
Authentication in Kerberos
S
A
B
A, B
E((T
,
E((T
,
L, K
, B)
, K
L, K
A ),
, A)
, K
B)
E((A
, T)
E ((T
, K)
, L,
,
K, A
), K
B)
K)
,
1
E(T +
Authentication using a trusted third party
51
Digital Signatures Using RSA
• A digital signature is a special case of a message
integrity code, where the code can have been generated
by only one participant.
• To sign a message you encrypt it using your private key
and to verify a signature, you decrypt it using the public
key of the sender.
• This is the reverse of the use of keys for privacy.
(Sender uses private key to encrypt rather than the
receiver’s public key and the receiver decrypts with the
sender’s public key rather than the receiver’s private
key.)
52
• This is slow, since RSA is slow.
Encryption using Public-Key
System
53
Authentication using Public-Key
System
54
Digital Signatures
• The receiver of a message with a digital
signature can prove that the sender really sent
that message.
• Any public-key cipher can be used for a digital
signature.
• Digital signature standards (DSS) can use RSA,
or one based on ElGamal or and Ellipse Curve
Digital Signature Algorithm.
55
Digital Signatures: The basic idea
public key
?
public key
Alice
private
key
Bob
56
Key Pre-distribution
• To use ciphers and authenticators, the
communicating participants need to know what
keys to use.
• How do participants obtain the keys?
57
Diffie-Hellman Key Agreement
• First introduced by Diffie-Hellman in 1976
• Mathematical functions rather than simple
operations on bit patterns
• Allows two separate keys
– Exchange keys securely
– Compute discrete logarithms
• Some misconceptions, corrected
– NOT more secure than symmetric key
– Does NOT make symmetric key obsolete
– Central agent is needed for both
58
Diffie-Hellman basics
Pick secret, random
X
Pick secret,
random Y
gx mod p
gy mod p
Alice
Bob
Compute k=(gy)x=gxy mod p
Compute k=(gx)y=gxy mod p
59
Diffie-Hellman Key Exchange
60
Key Distribution
• Session key:
– Data encrypted with a one-time session key.At
the conclusion of the session the key is
destroyed
• Permanent key:
– Used between entities for the purpose of
distributing session keys
61
Key Management
• Distribution of public keys
– Well, what’s the issue?
– Can’t we just trust Mallory if she claims a key
as her public key?
public key
Mallory
?
public key
Alice
private key
Bob
62
Authenticity of public keys
?
Alice
private key
Bob
public key
Problem: How does Alice know that the public key
she received is really Bob’s public key?
63
Pre-distribution of Public Keys
• The algorithms to generate a pair of public and private
keys are publicly known and the software is readily
available.
• But how can someone publicize a public key? Not by
email or the Web, because an adversary could forge it.
• The basic solution is a digital certificate.
• One of the major certificate standards is known as
X.509, which included the basic certificate structure.
64
Certificates
• Certificates allow the building of chains of
trust, arranged in a tree-like hierarchy.
• If everyone has the public key of the root,
then any participant could provide a chain of
certificates to another participant.
• What is being certified? A particular person
(often identified by email), or even an entire
domain.
65
Tree Structured Certification
Authority Hierarchy
IPRA = Internet Policy
Registration Authority (root)
PCA n = policy certification authority
CA = certification authority
IPRA
PCA1
CA
User
PCA2
CA
User
User
CA
PCA3
CA
CA
CA
CA
User
User
User
CA
User
User
66
Certification Authorities
• Trust is binary- you either trust someone
completely or not at all. Together with
certificates, this allows the building of chains of
trust.
• A certification authority or certificate authority
(CA) is an entity claimed to be trustworthy for
verifying identities and issuing public key
certificates. There are commercial, government
and free CA’s.
67
Certificate Revocation
• One issue that arises with certificates is how to
revoke or undo them.
• When is this needed? For example when a private
key has been discovered or compromised.
• A certificate authority can issue a certificate
revocation list (CRL) which is a digitally signed
list of certificates that have been revoked.
68
Secure Systems
• Components of a secure system include the
cryptographic algorithms, key distribution
mechanisms, and authentication protocols.
• Systems that use these components can be
categorized by the protocol layer at which they
operate.
• At the application layer: PGP (email security)and
Secure Shell SSH ( remote login)
69
Secure Systems
• At the transport layer: Transport Layer
Security (TLS) and the older Secure Socket
Layer (SSL).
• At the IP or network layer the IP security
protocol (IPsec) provides security.
• 802.11i provides security at the data link
layer of wireless networks.
70
Web of Trust
• An alternate model of trust is the web of
trust exemplified by Pretty Good Privacy
(PGP), which is a system for email.
• PGP operates at the application layer.
71
Pretty Good Privacy
• PGP is a popular approach to providing
encryption and authentication capabilities for
electronic mail.
• PGP allows certification relationships to form
an arbitrary mesh and for each user to decide
how much trust to place in a given certificate.
• “PGP is for people who like to pack their own
parachutes” ( Paul Zimmerman)
72
Secure Shell (SSH)
• SSH provides a remote login service and is intended to
replace the less secure Telnet and rlogin programs.
• SSH can be used to transfer files and remotely execute
commands like the Unix rsh and rcp commands.
• SSH is most often used to provide strong client/server
authentication, where SSH client runs on the desktop and
the SSH server runs on the remote machine.
• It supports message integrity and confidentiality, which
telnet and rlogin do not.
73
SSH Forwarding
Host A
Host B
Application
client
Direct connection
Application
server
Forw arded connection
SSH
SSH
Using SSH port forwarding to secure other TCP-based
applications.
74
Transport Layer Security
(TLS, SSL, HTTPS)
• As the World Wide Web became popular and ecommerce grew, a greater level of security
became necessary for transactions on the Web.
• There are several issues when making a credit
card purchases:
– Your information might be intercepted and used to
make unauthorized purchases;
– The transaction details may be modified;
– The computer you are sending the information to
should belong to the vendor, etc.
75
Transport Layer Security
(TLS, SSL, HTTPS)
• The designers of SLL and TLS recognized
that these problems are not specific to the
Web and built general purpose protocols
that sit between the application (HTTP) and
the transport protocol (TCP).
• From the application’s perspective, the
protocol layer looks like a normal transport
protocol, except that it is secure.
76
Transport Layer Security
(TLS, SSL, HTTPS)
• By running the secure transport layer on top of
TCP, all of the features of TCP (reliability, flow
control, congestion control, etc.) are provided to
the application.
• When HTTP is used in this way, it is known as
secure HTTP or HTTPS. It delivers and accepts
data from the SSL/TLS layer, rather than from
TCP.
77
Secure HTTP (HTTPS)
https://
(V.Shmatikov)
78
Secure Transport
Application (e.g., HTTP)
Secure transport layer
TCP
IP
Subnet
Secure transport layer inserted between application and
TCP layers.
79
IP Security (IPsec)
• The most ambitious attempt to integrate security into the
Internet happens at the IP layer.
• Support for IPsec is optional in IPv4, but mandatory in
IPv6.
• IPsec is a framework (rather than a single protocol) for
providing security services. It is:
– Highly modular, allowing users to choose from a large menu of
security properties;
– Protect a narrow stream or wide stream of data
80
IP Security (IPsec)
• IPsec consists of two parts:
– A pair of protocols that implement security services –
the Authentication Header (AH), which provides
access control, connectionless message integrity,
authentication, and anti-replay protection and the
Encapsulating Security Payload (ESP), which also
supports confidentiality;
– Support for key management – a protocol called
Internet Security Association and Key Management
Protocol (ISAKMP)
81
IP Security (IPsec)
• These form a security association (SA) or a
simplex connection protected by security
services.
• SA’s are established, modified and deleted
using ISAKMP.
• It defines packet formats for exchanging
key generation and authentication data.
82
Wireless Security 802.11i
• Wireless links are particularly exposed to security
threats due to the lack of physical security.
• 802.11i provides authentication, message
integrity, and confidentiality to 802.11 (WI-FI) at
the data link layer.
• 802.11i authentication supports two modes:
– Personal mode (pre-shared key mode), provides
weaker, but more convenient and economical security,
especially for home networks.
83
Wireless Security 802.11i
• The wireless device and access point (AP)
are pre-configured with a shared passphaseessentially a very long password- from
which the pair-wise master key is
cryptographically derived.
84
Firewalls
• A firewall is the sole point of connectivity between the
site it protects and the rest of the network.
• It is usually implemented as part of a router, although a
personal firewall may be implemented on an end-user
machine.
• There should be no way to bypass the firewall via other
gateways, or wireless connections.
• The “wall” metaphor is misleading since it is the
absence of connectivity – not the presence of a barrierthat prevents communication.
• A firewall is like the only door (connection) through a
85
wall ( absence of any other connection).
A Firewall
Remote
company
user
Firew all
Internet
Company net
Web
server
Random
external
user
A firewall filters packets flowing between a site and the rest of
the network.
86
Firewalls
• A firewall provides access control by restricting which
messages it will relay; it forwards messages that are
allowed, and filters out those that are disallowed
(particular ports or IP addresses).
• Firewalls are used to create multiple zones of trust: the
internal network, the demilitarized zone (DMZ) and the
rest of the Internet.
• The DMZ is used for services such as DNS an email
servers that need to be accessible to the outside.
• Firewalls configured based on IP, TCP, and UDP and
are configured with a table of packet addresses for
packets that they will and will not forward.
87
Strengths and Weaknesses of
Firewalls
• A firewall protects a network from undesired
access from the rest of the Internet.
• They can be deployed unilaterally while
cryptography based security usually requires
support at both endpoints.
• Firewalls encapsulate security in a central place,
making it easier to administer.
• They do not prevent attacks from within.
88
Firewall
Firew all
Rest of the Internet
Local site
89
Malware
• Malware is malicious software designed to cause
damage.
• Viruses, worms and spy ware are types of malware.
• Viruses make and spread copies of themselves.
• A worm is a complete program and a virus is a bit
of code inserted into existing software.
• Spy ware collects and transmits private
information about a computer system or its users
and is usually secretly embedded in a useful
program and is spread from system to system.
examples of spy ware include key loggers.
90
Summary
• The job of network security is to keep shared networks
from spying on or interfering with each other’s use of
the network.
• Confidentiality is achieved by encrypting messages.
Data integrity can be assured using cryptographic
hashing.
• Private or Symmetric key ciphers such as AES and
3DES use the same secret key for both encryption and
decryption.
• Public key ciphers, such as RSA, use a public key for
encryption and a secret private key for decryption.
91
Figure 8.6
4-bit chunk
■■■
■■■
■■■
■■■
Expanded to 6 bits by stealing
a bit from left and right chunks
92
Figure 8.7
IV
Block1
Block2
Block3
Block4
+
+
+
+
DES
DES
DES
DES
Cipher1
Cipher2
Cipher3
Cipher4
93
Figure 8.8
Initial “ digest“
(constant)
Message (padded)
512 bits 512 bits
■■■
512 bits
Transform
Transform
Transform
Message digest
94
Figure 8.11
A
B
95
Figure 8.13
Sender identity and message
integrity confirmed
if checksums match
Calculate MD5 checksum
over message contents
Calculate MD5 checksum on
received message and compare
against received value
Sign checksum using RSA
w ith senderÕs private key
Decrypt signed checksum
w ith senderÕs public key
Transmitted message
96
Figure 8.14
Create a random secret key
k
Encrypt message using
DES with secret keyk
Encrypt k using RSA with
recipient‘s public key
Encode messageE+(k )
in ASCII for transmission
Original message
Decrypt message using
DES with secret keyk
Decrypt E(k) using RSA with
my private key
k
Convert ASCII message
Transmitted message
97
Figure 8.17
Client
Server
Hello
[C
[Cer ertificate
t. Ve
]
rify] Keys
Finis
hed
ed
Finish
Data
98
Figure 8.18
NextHdr
PayloadLength
Reserved
SPI
SeqNum
AuthenticationData
99
Figure 8.19
SPI
SeqNum
PayloadData
Padding (0 - 255 bytes)
PadLength
NextHdr
AuthenticationData
100
Figure 8.22
Firew all
External
client
Proxy
External HTTP/TCP connection
Local
server
Internal HTTP/TCP connection
101
Figure 8.23
P
S
R
102
Figure 8.24
net 2
net 1
Outside w orld
R1
R2
103