Slide 1

Download Report

Transcript Slide 1 

Lecture 11
Network Security (1)
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Outline
• Network Security Concepts
• Principles of cryptography
• Authentication
• Integrity
• Key Distribution and certification
• Security in many layers
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Network Security
• Confidentiality (Secrecy): only sender, intended receiver
should “understand” message contents
– sender encrypts message
– receiver decrypts message
• Authentication: sender, receiver want to confirm identity
of each other
• Message Integrity: sender, receiver want to ensure
message is not altered (in transit, or afterwards) without
detection
• Access and Availability: services must be accessible and
available to users
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Friends and Enemies
• well-known in network security world
• “A” and “B” want to communicate “securely”
• “C” (intruder) may intercept (passive intruder), delete,
add messages (active intruder)
channel
A
data
data, control
messages
secure
sender
B
secure
receiver
C
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
data
Who Might A, B and C be?
Possible A and B
• real-life human users
• Web browser/server for
electronic transactions (e.g., online purchases)
• on-line banking client/server
• DNS servers
• routers exchanging routing table
updates
Khaled Mahbub, IICT, BUET, 2008
Possible C
– eavesdrop: intercept
messages
– actively insert messages into
connection
– impersonation: can fake
(spoof) source address in
packet (or any field in packet)
– hijacking: “take over” ongoing
connection by removing
sender or receiver, inserting
himself in place
– denial of service: prevent
service from being used by
others (e.g., by overloading
resources)
ICT 6621 : Advanced Networking
Outline
• Network Security Concepts
• Principles of cryptography
• Authentication
• Integrity
• Key Distribution and certification
• Security in many layers
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
The Language of Cryptography
A’s
K encryption
A
key
plaintext
encryption
algorithm
B’s
K decryption
B key
ciphertext
decryption plaintext
algorithm
C
symmetric key cryptography: sender, receiver keys
identical
public-key cryptography: encryption key public,
decryption key secret (private)
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Symmetric Key Cryptography
• substitution cipher: substituting one thing for
another
– Caesar cipher: taking each letter in the plaintext
message and substituting the letter that is k letters later
(allowing wraparound), i.e. if k=4, then the letter "a" in
plaintext becomes "d" in cipher text; "b" in plaintext
becomes "e" in cipher text, and so on.
– monoalphabetic cipher: substitute one letter for another
plaintext: abcdefghijklmnopqrstuvwxyz
ciphertext:
E.g.:
Khaled Mahbub, IICT, BUET, 2008
mnbvcxzasdfghjklpoiuytrewq
Plaintext: hello there
ciphertext: acggk uacoc
ICT 6621 : Advanced Networking
Symmetric Key Cryptography
• Vigenere ciphers: uses multiple monoalphabetic ciphers,
with a specific monoalphabetic cipher to encode a letter
in a specific position in the plaintext message.
• Example: two different Caesar ciphers C1( k=6) and
C2(k=20), used in the repeating pattern C1, C2, C2. i.e.
the first letter of plaintext is to encoded using C1, the
second and third using C2. The pattern then repeats.
Plaintext: hello there
ciphertext: mxeqh mmxkj
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Symmetric Key Cryptography
• Transposition Cipher:
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Symmetric Key Cryptography: DES
DES: Data Encryption Standard: US
encryption standard [NIST 1993]
DES operation
•
56-bit symmetric key, 64-bit plaintext input
• initial permutation 16 identical “rounds”
of function application, each using
different 48 bits of key final permutation
• How secure is DES?
– DES Challenge: 56-bit-key-encrypted
phrase (“Strong cryptography makes
the world a safer place”) decrypted
(brute force) in 4 months
– no known “backdoor” decryption
approach
• making DES more secure:
– use three keys sequentially (3-DES) on
each datum
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Public Key Cryptography
symmetric key cryptography
public key cryptography
• requires sender, receiver know
shared secret key
• radically different approach
[Diffie-Hellman76, RSA78]
• sender, receiver do not
share secret key
• Q: how to agree on key in first
place (particularly if never “met”) • public encryption key
known to all
• private decryption key
known only to receiver
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Public Key Cryptography
+ B’s public
B key
K
K
plaintext
message, m
encryption ciphertext
algorithm
+
K (m)
Khaled Mahbub, IICT, BUET, 2008
B
- B’s private
B key
decryption plaintext
algorithm message
+
m = K B(K (m))
B
ICT 6621 : Advanced Networking
Public Key Encryption Algorithms
•
Requirements:
1. need K+B(.) and K-B(.) such that
-
+
B
B
K (K (m)) = m
2. given public key K+B it should be impossible
to compute private key K-B
RSA: Rivest, Shamir, Adelson algorithm
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
RSA: Encryption Decryption
Choosing Keys
•
•
•
•
•
Choose two large prime numbers p, q. (e.g., 1024 bits each)
Compute n = pq, z = (p-1)(q-1)
Choose e (with e<n) that has no common factors with z. (e, z are
“relatively prime”).
Choose d such that ed-1 is exactly divisible by z. (in other words: ed
mod z = 1 ).
Public key is (n,e). Private key is (n,d).
+
K
KB
B
Encryption/Decryption
1.
2.
3.
Given (n,e) and (n,d) as computed above
To encrypt bit pattern, m, compute
c= me mod n (i.e., remainder when me is divided by n)
To decrypt received bit pattern, c, compute
m = cd mod n (i.e., remainder when cd is divided by n)
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
RSA Example
B chooses p=5, q=7. Then n=35, z=24.
– e=5 (so e, z relatively prime).
– d=29 (so ed-1 exactly divisible by z).
encrypt:
decrypt:
letter
m
me
l
12
248832
c
17
d
c
481968572106750915091411825223071697
Khaled Mahbub, IICT, BUET, 2008
c = me mod n
17
m = cd mod n letter
12
l
ICT 6621 : Advanced Networking
RSA: Property
• Why is that m = (m e mod n) d mod n
Useful number theory result: If p,q prime and
n = pq, then:
y
y mod (p-1)(q-1)
x mod n = x
mod n
(m e mod n) d mod n = medmod n
ed mod (p-1)(q-1)
= m
mod n
(using number theory result above)
1
= m mod n
(since we chose ed to be divisible by
(p-1)(q-1) with remainder 1 )
= m
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
RSA: Property
RSA also holds the following property:
-
+
B
B
K (K (m))
+ = m = K (K (m))
B B
(md)e mod n = m = (me)d mod n
use public key
first, followed
by private key
use private key
first, followed
by public key
Result is the same!
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Outline
• Network Security Concepts
• Principles of cryptography
• Authentication
• Integrity
• Key Distribution and certification
• Security in many layers
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Authentication
• Goal: B wants A to “prove” its identity to him
• authentication must be done solely on the basis
of messages and data exchanged as part of an
authentication protocol.
– Protocol ap1.0: A says “I am A”
A
“I am A”
B
“I am A”
C
Khaled Mahbub, IICT, BUET, 2008
in a network,
B can not “see” A, so C
simply declares
itself to be A
ICT 6621 : Advanced Networking
Authentication
• Protocol ap2.0: A says “I am A” in an IP packet
containing its source IP address
A’s
IP address
“I am A”
B
A
C
A’s
IP address
Khaled Mahbub, IICT, BUET, 2008
“I am A”
C can create
a packet
“spoofing” with
A’s address
ICT 6621 : Advanced Networking
Authentication
Protocol ap3.0: A says “I am A” and sends her secret
password to “prove” it.
A’s
A’s
IP addr password
“I’m A”
A
B
A’s
IP addr
A’s
A’s
IP addr password
OK
“I’m A”
B
A
A’s
IP addr
C
Khaled Mahbub, IICT, BUET, 2008
playback attack: C
records A’s packet
and later
plays it back to B
OK
A’s
A’s
IP addr password
“I’m A”
ICT 6621 : Advanced Networking
Authentication
• Protocol ap3.1: A says “I am A” and sends her
encrypted secret password to “prove” it.
encrypted
A’s
IP addr password
record
and
playback
still works!
“I’m A”
B
A
A’s
IP addr
C
Khaled Mahbub, IICT, BUET, 2008
OK
encrypted
A’s
IP addr password
“I’m A”
ICT 6621 : Advanced Networking
Authentication
• Goal: avoid playback attack
• Nonce: number (R) used only once –in-a-lifetime
• ap4.0: to prove A is “alive”, B sends nonce, R to A. A
must return R, encrypted with shared secret key
A
“I am A”
B
R
KA-B(R)
Khaled Mahbub, IICT, BUET, 2008
A is live, and only
A knows key to
encrypt nonce, so
it must be A!
ICT 6621 : Advanced Networking
Authentication
ap4.0 requires shared symmetric key
• can we authenticate using public key techniques?
ap5.0: use nonce, public key cryptography
A
“I am A”
R
B
-
K A (R)
“send me your public key”
+
KA
Khaled Mahbub, IICT, BUET, 2008
B computes
+ -
KA(KA (R)) = R
and knows only A could
have the private key,
that encrypted R such
that
+ K (K (R)) = R
A A
ICT 6621 : Advanced Networking
Authentication: Security Hole
• Intruder in the middle attacks: C poses as A (to B) and as
B (to A)
I am A
A
R
C
K (R)
A
I am A
R
K (R)
C
Send me your public key
+
K
C
Send me your public key
+
K
A
- +
m = K (K (m))
A A
+
K (m)
A
Khaled Mahbub, IICT, BUET, 2008
C gets
- +
m = K (K (m))
C C
sends m to A
encrypted with
A’s public key
+
K (m)
C
ICT 6621 : Advanced Networking
B
Authentication: Security Hole
• Intruder in the middle attacks: C poses as A (to
B) and as B (to A)
A
B
C
Difficult to detect:
• B receives everything that A sends, and vice
versa. (e.g., so B, and A can meet one week
later and recall conversation)
• problem is that C receives all messages as well!
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Outline
• Network Security Concepts
• Principles of cryptography
• Authentication
• Integrity
• Key Distribution and certification
• Security in many layers
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Digital Signatures
Cryptographic technique analogous to hand-written
signatures.
• sender (B) digitally signs document, establishing he is document
owner/creator.
• verifiable, non-forgeable: recipient (A) can prove to someone that B,
and no one else (including A), must have signed document
Simple digital signature for message m:
• B signs m by encrypting with his private key K-B, creating “signed”
message, K-B(m)
B’s message, m
Dear A
Oh, how I have missed
you. I think of you all the
time! …(blah blah blah)
B
Khaled Mahbub, IICT, BUET, 2008
K B B’s private
key
Public key
encryption
algorithm
K B(m)
B’s message, m,
signed (encrypted)
with his private key
ICT 6621 : Advanced Networking
Digital Signatures
• Suppose A receives message m, digital signature K-B(m)
• A verifies m signed by B by applying B’s public key K+B
to K-B (m) then checks K+B(K-B(m) ) = m.
• If K+B(K-B(m) ) = m, whoever signed m must have used
B’s private key.
A thus verifies that:
 B signed m.
 No one else signed m.
 B signed m and not m’.
Non-repudiation:
 A can take m, and signature KB(m) to court and prove
that B signed m.
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Message Digests
Computationally expensive to
large
H: Hash
message
Function
public-key-encrypt long
m
messages
Goal: fixed-length, easy- to-compute digital H(m)
“fingerprint”
• apply hash function H to m, get fixed size
message digest, H(m).
Hash function properties:
• many-to-1
• produces fixed-size message digest (fingerprint)
• given message digest x, computationally
infeasible to find m such that x = H(m)
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Digital Signature = Signed Message Digest
B sends digitally signed
message:
large
message
m
H: Hash
function
B’s
private
key
+
A verifies signature and
integrity of digitally
signed message:
encrypted
msg digest
H(m)
digital
signature
(encrypt)
-
KB
encrypted
msg digest
KB(H(m))
large
message
m
H: Hash
function
KB(H(m))
B’s
public
key
+
KB
H(m)
H(m)
equal
?
Khaled Mahbub, IICT, BUET, 2008
digital
signature
(decrypt)
ICT 6621 : Advanced Networking
Internet Checksum: Poor Hash Function
• Internet checksum has some properties of hash function:
 produces fixed length digest (16-bit sum) of message
 is many-to-one
• But given message with given hash value, it is easy to find
another message with same hash value:
message
I O U 1
0 0 . 9
9 B O B
ASCII format
49 4F 55 31
30 30 2E 39
39 42 D2 42
B2 C1 D2 AC
Khaled Mahbub, IICT, BUET, 2008
message
I O U 9
0 0 . 1
9 B O B
ASCII format
49 4F 55 39
30 30 2E 31
39 42 D2 42
B2 C1 D2 AC
different messages
but identical checksums!
ICT 6621 : Advanced Networking
Hash Function Algorithms
• MD5 hash function widely used (RFC 1321)
– computes 128-bit message digest in 4-step
process.
– arbitrary 128-bit string x, appears difficult to
construct message m whose MD5 hash is
equal to x.
• SHA-1 is also used.
– US standard [NIST, FIPS PUB 180-1]
– 160-bit message digest
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking
Reading Material
• Chapter 7 – text3 (Kurose)
• Chapter 8 – text2 (Tanenbaum)
Khaled Mahbub, IICT, BUET, 2008
ICT 6621 : Advanced Networking