Transcript CNC
Lecture #22: Network Security 1 A classic lesson The chain is only as strong as its weakest link! 2 In the past ... The networks were primarily used by university researchers for sending e-mail and by corporate employees for sharing printers. The sky was clear and the people were happy and carefree. But now ... But now, as billions are using networks for banking, shopping, and filing their tax returns, network security is looming on the horizon as a potentially massive problem. 3 Security problems sources 4 Security areas Network security problems can be divided roughly into four closely intertwined areas: – – – – secrecy authentication nonrepudiation integrity control. Secrecy, also called confidentiality, has to do with keeping information out of the hands of unauthorized users. Authentication deals with determining whom you are talking to before revealing sensitive information or entering into a business deal. Nonrepudiation deals with signatures: How do you prove that your customer really placed EXACTLY THIS electronic order? Integrity control – Is this message EXACTLY THE SAME as it was originally sent? 5 Security on the network layers Physical layer security – hardware solutions. For example: EM-shielding. All other layers use security methods mainly based on the cryptography. (the name of this science comes from the Greek words for ''secret writing'' ) 6 Cryptography Contributors to the modern Cryptography: • • • • military diplomatic corps diarists lovers 7 Cryptography (2) Symmetric-key encryption model Kerckhoff's (1883) principle: All algorithms must be public; only the keys are secret! 8 Cryptography (3) A simple substitution cipher Each of the symbols in the plaintext, is mapped onto some other symbol. An example for 26 letters: plaintext: a b c d e f g h i j k l m n o p q r s t u v w x y z ciphertext: Q W E R T Y U I O P A S D F G H J K L Z X C V B N M 9 Cryptography (4) A transposition cipher 10 Cryptography (5) An unbreakable symmetric-key method: one-time pad. It uses a very long key which is bitXORed with the message. Disadvantages: Impossible to remember and difficult to store the key. Example: The use of a one-time pad for encryption and the possibility of getting any possible plaintext from the ciphertext by the use of some other pad. 11 Symmetric-Key Algorithms DES – The Data Encryption Standard AES – The Advanced Encryption Standard Cipher Modes Other Ciphers Cryptanalysis 12 Data Encryption Standard (a) General outline. (b) Detail of one iteration. The circled + means exclusive OR (XOR). 13 Triple DES (a) Triple encryption using DES. (b) Decryption. 14 AES – The Advanced Encryption Standard 1. 2. 3. 4. 5. Rules for AES proposals: The algorithm must be a symmetric block cipher. The full design must be public. Key lengths of 128, 192, and 256 bits supported. Both software and hardware implementations required The algorithm must be public or licensed on nondiscriminatory terms. 15 Cryptanalysis Some common symmetric-key cryptographic algorithms: 16 Public-Key Algorithms - RSA 4. Choose two large primes, p and q (typically 1024 bits). Compute n = p x q and z = (p - 1) x (q - 1). Choose a number relatively prime to z and call it d. Find e such that e x d = 1 mod z. An example of the RSA (Rivest, Shamir, Adleman) algorithm: p = 3, q = 11, n = 33, z = 20, d= 7 1. 2. 3. 17 Public-Key Digital Signatures The goal: To verify the message’s integrity. Example: 18 Message Digests Another way to assure the message’s integrity. Examples of message digest functions: MD5 (Rivest, 1992) and SHA-1 (NIST, 1993). 19 Problems with Public-Key Encryption A way for Trudy to subvert public-key encryption. The intruder 20 Certificates A possible certificate and its signed hash. CA = Certification Authority Example: Bulgarian Academic Certification Authority (http://ca.acad.bg) 21 X.509 The basic fields of an X.509 certificate: 22 Public-Key Infrastructures (PKI) (a) A hierarchical PKI. (b) A chain of certificates. 23 IPsec The IPsec authentication header in transport mode for IPv4. 24 IPsec (2) (a) ESP in transport mode. (b) ESP in tunnel mode. ESP = Encapsulating Security Payload 25 Firewalls A firewall consisting of two packet filters and an application gateway. 26 Virtual Private Networks (a) A leased-line private network. (b) A virtual private network. 27 802.11 Security Packet encryption using WEP (Wired Equivalent Privacy). 28 Authentication Protocols Authentication Based on a Shared Secret Key Establishing a Shared Key: Diffie-Hellman Authentication Using a Key Distribution Center Authentication Using Kerberos Authentication Using Public-Key Cryptography 29 Establishing a Shared Key: The Diffie-Hellman Key Exchange The bucket brigade or man-in-the-middle attack. 30 Authentication Using a Key Distribution Center A first attempt at an authentication protocol using a KDC. 31 Authentication Using Kerberos The operation of Kerberos V4. 32 Authentication Using Public-Key Cryptography Mutual authentication using public-key cryptography. 33 Unsecured network protocols: • Ethernet DLL protocols • IPv4 • Telnet, FTP, DNS, SMTP, POP3/IMAP, HTTP, NNTP, SNMP v1,2 etc. Secured network protocols: • IPsec, IPv6 • HTTPS, DNSsec, TLS/SSL, SSH, S/MIME. 34 E-Mail Security PGP – Pretty Good Privacy PEM – Privacy Enhanced Mail S/MIME 35 E-mail security: PGP – Pretty Good Privacy PGP in operation for sending a message. 36 PGP – Pretty Good Privacy (2) A PGP message. 37 Web Security Threats Secure Naming SSL – The Secure Sockets Layer Mobile Code Security 38 Secure Naming (a) Normal situation. (b) An attack based on breaking into DNS and modifying Bob's record. 39 Secure Naming (2) How Trudy spoofs Alice's ISP. 40 Secure DNS (DNSsec) Proof of where the data originated. Public key distribution. Transaction and request authentication. Example of DNSsec RRSet for bob.com : The KEY record is Bob's public key. The SIG record is the toplevel com server's signed has of the A and KEY records to verify their authenticity. 41 Self-Certifying Names A self-certifying URL containing a hash of server's name and public key. 42 SSL—The Secure Sockets Layer Layers (and protocols) for a home user browsing with SSL. 43 SSL (2) A simplified version of the SSL connection establishment subprotocol. 44 SSL (3) Data transmission using SSL. 45 Java Applet Security Applets inserted into a Java Virtual Machine interpreter inside the browser. 46 Social Issues Privacy Freedom of Speech Copyright 47 Anonymous Remailers Users who wish anonymity chain requests through multiple anonymous remailers. 48 Freedom of Speech 1. 2. 3. 4. 5. Possibly banned material: Material inappropriate for children or teenagers. Hate aimed at various ethnic, religious, sexual, or other groups. Information about democracy and democratic values. Accounts of historical events contradicting the government's version. Manuals for picking locks, building weapons, 49 encrypting messages, etc. Steganography - hiding messages (a) Three zebras and a tree. (b) Three zebras, a tree, and the complete text of five plays by William Shakespeare. 50 Copyright The granting to the creators of IP (Intellectual Property), including writers, artists, composers, musicians, photographers, cinematographers, choreographers, and others, the exclusive right to exploit their IP for some period of time, typically the life of the author plus 50 years (or 75 years in the case of corporate ownership). After the copyright of a work expires, it passes into the public domain and anyone can use or sell it as they wish. 51 Copyright (2) Examples: Napster, torrents, eMule and other P2Plike networks violate the copyright! (Because they hold some kind of centralized databases which help the people to find the desired IP-material for free downloading.) 52 End-user security rules Don’t write your password on paper! Don’t tell your password to anybody! (even to your sysadmin). Don’t use short or easy to guess passwords! examples of good passwords: The g1rL frΘm !panemA Macro$oft L!nuX ;-) Change your password frequently! Don’t loose your private key! Never leave your computer unattended while logged in! Beware of viruses, trojan horses, worms etc. fauna! Apply the recent security updates and patches to your OS and software! Always remember that there is no 100% Security! 53