Network Security
Download
Report
Transcript Network Security
Network Security
Sorina Persa
Group 3250
Overview
Security services
Security threats
Encryption
Conventional encryption
Conventional encryption algorithms
Public key encryption
Public key encryption algorithms
Message authentication
IPv4 and IPv6 security
Security Services
Confidentiality
Integrity
Authentication
Access control
Non-repudiation
Availability
Security threats
Information
source
Information
destination
a) Normal flow
b) Interruption
c) Interception
d) Modification
e) Fabrication
Security threats
Interruption – attack on availability
Interception – attack on confidentiality
Modification – attack on integrity
Fabrication – attack on authenticity
Security threats
Passive attacks – eavesdropping on or monitoring of
transmissions
Release of message contents
Traffic analysis
Active attacks – modification of the data stream or
creation of a false stream
Masquerade
Replay
Modification of message
Denial of service
Encryption
Encryption = the tool used for network and
communication security
It protects against passive attacks
Types:
Conventional encryption
Public-key encryption
Hybrid of the precedent ones
Conventional Encryption
Two parties share a single
encryption/decryption key
Encryption
algorithm
(e.g. DES)
Transmitted
ciphertext
Decryption
algorithm
Plaintext input
Plaintext output
Secret key
Secret key
Conventional encryption
Approaches to attacking a conventional
encryption scheme:
Cryptanalysis – relies on the nature of the algorithms and
some plaintext-ciphertext pairs
Brute-force attacks – try every possible key
Time for key search
Time required at
1 encryption/sec
Time required at
106 encryptions/sec
Key size
(bits)
Number of
alternative keys
32
56
128
232 = 4.3x109 231 sec = 35.8 mins 2.15 millisecs
256 = 7.2x1016 1142 years
10.01 hours
3.4x1038
5.4x1024 years
5.4x1018 years
Conventional encryption
algorithms
Block ciphers – process the plaintext input in
fixed-size blocks and produce a block of
ciphertext of equal size for each plaintext block
It is symmetric
DES (Data encryption standard)
DEA (Data encryption algorithm)
TDEA (Triple data encryption algorithm)
AES (Advanced encryption standard)
DEA
DES was developed by NIST
DEA key size is 56 bits and the blocks are of 64 bits
Since 1977, every 5 years, NIST approved DES for use
In 1997, NIST solicited a new secret key algorithm called
Advanced Encryption Standard (it uses 128-bit block size and a
key length of minimum 128 bits)
In 1998 EFF (Electronic Frontier Foundation) announced that it
had broken DES
In October 2000, successor to DES was selected and it was
called Rijndael
Double and triple DES is also common
Triple DEA uses 3 keys and 3 executions of DEA:
C = Ek3[Dk2[Ek1[P]]]
Its key length is of 168 bits
Location of encryption devices
Link encryption
End-to-end encryption
Decrypt each packet at
every switch
the source encrypts and
the destination decrypts
Hybrid
Both link and end-toend are needed
High security
Key distribution
For encryption to work over a network, the two
parties (sender and receiver) must exchange and
share the same keys, while protecting access to the
keys from others.
A key could be selected by A and physically distributed to B
A third party could select the key and physically deliver it to
A and B.
If A and B have previously and recently used a key, one
party could transmit the new key to the other, encrypted
using the old key
If A and B could have an encrypted connection to a third
party C, C could deliver a key on the encrypted link to A
and B
Public key encryption
Public key algorithms are based on mathematical
function rather than on simple operations on bit
patterns
Public key cryptography is asymmetric, involving the
use of two separate keys
The key ingredients are similar to that of conventional
secret key algorithms, except that there are two keys – a
public key and a private key used as input to the
encryption and the decryption algorithm
Public key encryption
Encryption
algorithm
(e.g. RSA)
Transmitted
ciphertext
Decryption
algorithm
Plaintext input
Plaintext output
Destination’s
public key
Destination’s
private key
Public key encryption
Steps:
Generation of a pair of keys to be used for
encryption and decryption of message
Placing one of the keys in a public register and
maintaining a collection of public keys from the
other users
Encrypting the message with the destination’s public
key
When the destination receives the message, it
decrypts it with the private key
Digital signature
Encryption
algorithm
(e.g. RSA)
Transmitted
ciphertext
Decryption
algorithm
Plaintext input
Plaintext output
Source’s
private key
Source’s
public key
Safe from alteration but not safe from eavesdropping
Public key encryption algorithms
RSA – invented in 1973 by three MIT professors
In contrast to DES, RSA uses sophisticated
mathematics instead of simple manipulation and
substitution
Mostly 1024 bit keys are used
Public key encryption and decryption using RSA is
1000 times slower than secret key methods using DES
DSA (Digital signature algorithm) – used for digital
signatures
DSA was proposed by NIST
Hybrid of Conventional and Public
key encryption
A encrypts the message using conventional
encryption with a one-time conventional session
key
A encrypts the session key using public key
encryption with B’s public key
Attach the encrypted session key to the message
and send it to B
Message Authentication and
Hash function
It protects against active attacks
It proves that the message has not been altered
and that the source is authentic
MAC (Message Authentication Code)
K
M
M
M
MAC algo
K
Compare
MAC algo
MAC
One-way Hash Function
It accepts a variable-size message M as input and
produces a fixed-size message digest H(M) as
output
H(M) is sent with the message
It does not take a secret key as input
The message digest can be encrypted using
Conventional encryption
Public-key encryption
Secret value
Message digest encrypted using
conventional encryption
M
H
M
M
H
K
K
E
D
Compare
Message digest encrypted using
public-key encryption
M
H
M
M
H
Compare
Kprivate
Kpublic
E
D
Message digest encrypted using
secret value
M
H
M
M
H
Compare
Secure Hash Function
Requirements:
H can be applied to a block of data of any size
H produces a fixed-length output
H(x) is easy to compute for every x
For any given code h, it is computationally infeasible to find x
such that H(x)=h
For any given block x, it is computationally infeasible to find
y!=x with H(y)=H(x)
It is computationally infeasible to find any pair (x,y) s.t.
H(x)=H(y)
One of the most important hash function is SHA-1
(every bit of the hash code is a function of every bit in
the input)
IPv4 and IPv6 security
Need to secure the network infrastructure against
unauthorized monitoring and control of network traffic
and the need to secure end-user-to-end-user traffic
using authentication and encryption mechanisms
In response, IAB included authentication and
encryption as necessary security features in IPv6
IPSec provides the capability to secure communication
across a LAN, across private and public WANs and
across the Internet
The principal feature of IPSec: it can encrypt and/or
authenticate all traffic at the IP level
IPv4 and IPv6 security
IPSec’s main facilities:
AH (Authentication Header) – an authentication-only
function
ESP (Encapsulating Security Payload) – a combined
authentication/encryption function
Provides support for data integrity and authentication of IP packets
Provides confidentiality services, including confidentiality of message
contents and limited traffic flow confidentiality
A key exchange function
Manual key management
Automated key management
Security association
It is a one-way relationship between a sender
and a receiver that affords security services to
the traffic carried on it
It can be identified by:
SPI (Security parameters index)
IP destination address: only unicast addresses are
allowed
Security protocol identifier: AH or ESP SA
IPv4 and IPv6 security
AH and ESP support two modes of use:
Transport mode
Provides protection primarily for upper-layer protocols
Provides protection to the payload of an IP packet
Typically used for end-to-end communication between
hosts
Tunnel mode
Provides protection to the entire IP packet
Used when one or both ends of an SA is a security
gateway, such as a firewall or router that implements
IPSec