Part I: Introduction - Computer Science Division
Download
Report
Transcript Part I: Introduction - Computer Science Division
Last class
Ethernet
Hubs and Switches
Mobile and wireless networks, CDMA
Today
CDMA and IEEE 802.11 wireless LANs
Network security
1
10BaseT and 100BaseT Ethernet
Uses CSMA/CD
10/100 Mbps rate; latter called “fast ethernet”
T stands for Twisted Pair
Nodes connect to a hub: “star topology”; 100 m
max distance between nodes and hub
twisted pair
hub
2
Interconnecting with hubs
Pros:
Cons:
Enables interdepartmental
Collision domains are
communication
Extends max distance btw.
nodes
If a hub malfunctions, the
backbone hub can
disconnect it
hub
transferred into one large,
common domain
Cannot interconnect
10BaseT and 100BaseT
hub hubs
hub
hub
3
Switch: traffic isolation
switch installation breaks subnet into LAN
segments
switch filters packets:
same-LAN-segment frames not usually
forwarded onto other LAN segments
segments become separate collision domains
switch
collision
domain
hub
collision domain
hub
collision domain
hub
4
Wireless network characteristics
Multiple wireless senders and receivers create
additional problems (beyond multiple access):
C
A
B
A
B
Hidden terminal problem
C
C’s signal
strength
A’s signal
strength
space
B, A hear each other
Signal fading:
A, C can not hear each other
B, C hear each other
B, C hear each other
B, A hear each other
means A, C unaware of their
interference at B
A, C can not hear each other
interferring at B
5
Overview
CDMA and IEEE 802.11 wireless LANs
Network security
6
Code Division Multiple Access (CDMA)
used in several wireless broadcast channels
(cellular, satellite, etc) standards
unique “code” assigned to each user; i.e., code set
partitioning
all users share same frequency, but each user has
own “chipping” sequence (i.e., code) to encode data
encoded signal = (original data) X (chipping
sequence)
decoding: inner-product of encoded signal and
chipping sequence
allows multiple users to “coexist” and transmit
simultaneously with minimal interference (if codes
are “orthogonal”)
7
CDMA Encode/Decode
sender
d0 = 1
data
bits
code
Zi,m= di.cm
-1 -1 -1
1
-1
1 1 1
-1 -1 -1
slot 1
-1
slot 1
channel
output
1
-1
1 1 1 1 1 1
1
d1 = -1
1 1 1
channel output Zi,m
-1 -1 -1
slot 0
1
-1
-1 -1 -1
slot 0
channel
output
M
Di = S Zi,m.cm
m=1
received
input
code
receiver
1 1 1 1 1 1
1
-1 -1 -1
-1
1 1 1
1
-1
-1 -1 -1
-1
1 1 1
-1 -1 -1
slot 1
M
1
1
-1
-1 -1 -1
slot 0
d0 = 1
d1 = -1
slot 1
channel
output
slot 0
channel
output
8
CDMA: two-sender interference
9
Overview
CDMA and IEEE 802.11 wireless LANs
Network security
10
IEEE 802.11 Wireless LAN
802.11b
2.4-5 GHz unlicensed
radio spectrum
up to 11 Mbps
direct sequence spread
spectrum (DSSS) in
physical layer
• all hosts use same
chipping code
widely deployed, using
base stations
802.11a
5-6 GHz range
up to 54 Mbps
802.11g
2.4-5 GHz range
up to 54 Mbps
All use CSMA/CA for
multiple access
All have base-station
and ad-hoc network
versions
11
802.11 LAN architecture
wireless host communicates
Internet
AP
hub, switch
or router
BSS 1
AP
BSS 2
with base station
base station = access
point (AP)
Basic Service Set (BSS)
(aka “cell”) in infrastructure
mode contains:
wireless hosts
access point (AP): base
station
ad hoc mode: hosts only
12
802.11: Channels, association
802.11b: 2.4GHz-2.485GHz spectrum divided into
11 channels at different frequencies
AP admin chooses frequency for AP
interference possible: channel can be same as
that chosen by neighboring AP!
host: must associate with an AP
scans channels, listening for beacon frames
containing AP’s name (SSID) and MAC address
selects AP to associate with
may perform authentication [Chapter 8]
will typically run DHCP to get IP address in AP’s
subnet
13
IEEE 802.11: multiple access
avoid collisions: 2+ nodes transmitting at same time
802.11: CSMA - sense before transmitting
don’t collide with ongoing transmission by other node
802.11: no collision detection!
difficult to receive (sense collisions) when transmitting due
to weak received signals (fading)
can’t sense all collisions in any case: hidden terminal, fading
goal: avoid collisions: CSMA/C(ollision)A(voidance)
A
C
A
B
B
C
C’s signal
strength
A’s signal
strength
space
14
IEEE 802.11 MAC Protocol: CSMA/CA
802.11 sender
1 if sense channel idle for DIFS then
transmit entire frame (no CD)
2 if sense channel busy then
- start random backoff time
- timer counts down while channel idle
- transmit when timer expires
- if no ACK, increase random backoff
interval, repeat 2
802.11 receiver
- if frame received OK
sender
receiver
DIFS
data
SIFS
ACK
return ACK after SIFS (ACK needed due
to hidden terminal problem)
15
Avoiding collisions (more)
idea: allow sender to “reserve” channel rather than random
access of data frames: avoid collisions of long data frames
sender first transmits small request-to-send (RTS) packets
to BS using CSMA
RTSs may still collide with each other (but they’re short)
BS broadcasts clear-to-send CTS in response to RTS
RTS heard by all nodes
sender transmits data frame
other stations defer transmissions
Avoid data frame collisions completely
using small reservation packets!
16
Collision Avoidance: RTS-CTS exchange
A
AP
B
reservation collision
DATA (A)
defer
time
17
802.11 frame: addressing
2
2
6
6
6
frame
address address address
duration
control
1
2
3
Address 1: MAC address
of wireless host or AP
to receive this frame
2
6
seq address
4
control
0 - 2312
4
payload
CRC
Address 4: used only
in ad hoc mode
Address 3: MAC address
of router interface to
which AP is attached
Address 2: MAC address
of wireless host or AP
transmitting this frame
18
802.11 frame: addressing
R1 router
H1
Internet
AP
R1 MAC addr AP MAC addr
dest. address
source address
802.3 frame
AP MAC addr H1 MAC addr R1 MAC addr
address 1
address 2
address 3
802.11 frame
19
802.11: mobility within same subnet
H1 remains in same IP
subnet: IP address
can remain same
switch: which AP is
associated with H1?
self-learning
(Ch. 5):
switch will see frame
from H1 and
“remember” which
switch port can be
used to reach H1
router
hub or
switch
BBS 1
AP 1
AP 2
H1
BBS 2
20
Network Security
What is network security?
Principles of cryptography
Authentication
Access control: firewalls
Attacks and counter measures
21
What is network security?
Confidentiality: only sender, intended receiver
should “understand” message contents
sender encrypts message
receiver decrypts message
Authentication: sender, receiver want to confirm
identity of each other
Message Integrity: sender, receiver want to ensure
message content not altered (in transit, or
afterwards) without detection
Access and Availability: services must be accessible
and available to users
22
Friends and enemies: Alice, Bob, Trudy
well-known in network security world
Bob, Alice (lovers!) want to communicate “securely”
Trudy (intruder) may intercept, delete, add messages
Alice
data
channel
secure
sender
Bob
data, control
messages
secure
receiver
data
Trudy
23
Who might Bob, Alice be?
… well, real-life Bobs and Alices!
Web browser/server for electronic
transactions (e.g., on-line purchases)
on-line banking client/server
DNS servers
routers exchanging routing table updates
other examples?
24
There are bad guys (and girls) out there!
Q: What can a “bad guy” do?
A: a lot!
eavesdrop: intercept messages
actively insert messages into connection
impersonation: can fake (spoof) source address
in packet (or any field in packet)
hijacking: “take over” ongoing connection by
removing sender or receiver, inserting himself
in place
denial of service: prevent service from being
used by others (e.g., by overloading resources)
more on this later ……
25
Overview
What is network security?
Principles of cryptography
Authentication
Access control: firewalls
Attacks and counter measures
26
The language of cryptography
Alice’s
K encryption
A
key
plaintext
encryption
algorithm
ciphertext
Bob’s
K decryption
B key
decryption plaintext
algorithm
symmetric key crypto: sender, receiver keys identical
public-key crypto: encryption key public, decryption key
secret (private)
27
Symmetric key cryptography
substitution cipher: substituting one thing for another
monoalphabetic cipher: substitute one letter for another
plaintext:
abcdefghijklmnopqrstuvwxyz
ciphertext:
mnbvcxzasdfghjklpoiuytrewq
E.g.:
Plaintext: bob. i love you. alice
ciphertext: nkn. s gktc wky. mgsbc
Q: How hard to break this simple cipher?:
brute force (how hard?)
other?
28
Symmetric key cryptography
KA-B
KA-B
plaintext
message, m
encryption ciphertext
algorithm
K (m)
A-B
decryption plaintext
algorithm
m = K ( KA-B(m) )
A-B
symmetric key crypto: Bob and Alice share know same
(symmetric) key: K
A-B
e.g., key is knowing substitution pattern in mono
alphabetic substitution cipher
Q: how do Bob and Alice agree on key value?
29
Symmetric key crypto: DES
DES: Data Encryption Standard
US encryption standard [NIST 1993]
56-bit symmetric key, 64-bit plaintext input
How secure is DES?
DES Challenge: 56-bit-key-encrypted phrase
(“Strong cryptography makes the world a safer
place”) decrypted (brute force) in 4 months
no known “backdoor” decryption approach
making DES more secure:
use three keys sequentially (3-DES) on each datum
use cipher-block chaining
30
Symmetric key
crypto: DES
DES operation
initial permutation
16 identical “rounds” of
function application,
each using different
48 bits of key
final permutation
31
AES: Advanced Encryption Standard
new (Nov. 2001) symmetric-key NIST
standard, replacing DES
processes data in 128 bit blocks
128, 192, or 256 bit keys
brute force decryption (try each key)
taking 1 sec on DES, takes 149 trillion
years for AES
32
Public Key Cryptography
symmetric key crypto
requires sender,
receiver know shared
secret key
Q: how to agree on key
in first place
(particularly if never
“met”)?
public key cryptography
radically different
approach [DiffieHellman76, RSA78]
sender, receiver do
not share secret key
public encryption key
known to all
private decryption
key known only to
receiver
33
Public key cryptography
+ Bob’s public
B key
K
K
plaintext
message, m
encryption ciphertext
algorithm
+
K (m)
B
- Bob’s private
B key
decryption plaintext
algorithm message
+
m = K B(K (m))
B
34
Public key encryption algorithms
Requirements:
1
2
+
need K ( ) and K - ( ) such that
B
B
- +
K (K (m)) = m
B B
.
.
+
given public key KB , it should be
impossible to compute
private key KB
RSA: Rivest, Shamir, Adelson algorithm
35