Computer Network 2

Download Report

Transcript Computer Network 2

Cryptography &
Network Security
MSc. NGUYEN CAO DAT
Dr. TRAN VAN HOAI
Principles of modern ciphers
Implement crypto library
Network Security Applications
System Security
1
BK
TP.HCM
Course details
Number of credits: 3
 Study time allocation per week:
 2 lecture hours for theory
 2 lecture hours for lab, exercises
 6 hours for self-study
 Website: http://www.cse.hcmut.edu.vn/~dat
2
BK
TP.HCM
Course outline (1/2)
 Basics of Cryptography
▫ Symmetric key
▫ Public key
▫ Hash function
 Network Security Applications
▫ Authentication applications
▫ E-mail security
3
BK
TP.HCM
Course outline (2/2)
Network Security Applications (con’t)
▫ Web security
▫ IP security
 System Security
▫ IDS/IPS
▫ Firewalls
▫…
4
BK
TP.HCM
References
[1] “Cryptography and Network Security
Principles and Practices”, W. Stallings, 4th ed.,
Prentice Hall, 2005
[2] Slides “Cryptography and Network Security”,
Bộ môn Hệ thống và Mạng, Khoa Khoa học và
Kỹ thuật máy tính, ĐHBK Tp.HCM.
5
BK
TP.HCM
Assessment Scheme
Attending lectures: >80% lecture times
Reading textbooks and references
Self-study and working in group
Lab: 20%
Assignments: 20%
Midterm Exam: 20%, multiple question choice
test – 45’
Final Exam: 40%, multiple question choice test
– 60’
6
Chapter 1
Introduction
MSc. NGUYEN CAO DAT
Dr. TRAN VAN HOAI
7
BK
TP.HCM
Background
Information Security requirements have
changed in recent times.
traditionally provided by physical and
administrative mechanisms.
computer use requires automated tools to
protect files and other stored information.
use of networks and communications links
requires measures to protect data during
transmission.
8
BK
TP.HCM
Definitions
Computer Security - generic name for the
collection of tools designed to protect data and
to thwart hackers.
Network Security - measures to protect data
during their transmission.
Internet Security - measures to protect data
during their transmission over a collection of
interconnected networks.
9
BK
TP.HCM
Aim of Course
our focus is on Internet Security
which consists of measures to deter, prevent,
detect, and correct security violations that
involve the transmission & storage of
information
10
BK
TP.HCM
Security Trends
11
12
BK
TP.HCM
BK
TP.HCM
OSI Security Architecture
ITU-T X.800 “Security Architecture for OSI”
defines a systematic way of defining and
providing security requirements
for us it provides a useful, if abstract, overview
of concepts we will study
13
BK
TP.HCM
Aspects of Security
consider 3 aspects of information security:
▫ security attack
▫ security mechanism
▫ security service
14
BK
TP.HCM
Security Attack
any action that compromises the security of
information owned by an organization
information security is about how to prevent
attacks, or failing that, to detect attacks on
information-based systems
often threat & attack used to mean same thing
have a wide range of attacks
can focus of generic types of attacks
▫ passive
▫ active
15
BK
TP.HCM
Classify Security Attacks
passive attacks - eavesdropping on, or
monitoring of, transmissions to:
▫ obtain message contents, or
▫ monitor traffic flows
active attacks – modification of data stream to:
▫
▫
▫
▫
masquerade of one entity as some other
replay previous messages
modify messages in transit
denial of service
16
BK
TP.HCM
Types of Attacks
17
BK
TP.HCM
Passive Attacks
18
BK
TP.HCM
Active Attacks
19
BK
TP.HCM
Security Service
▫ enhance security of data processing systems
and information transfers of an organization
▫ intended to counter security attacks
▫ using one or more security mechanisms
▫ often replicates functions normally associated
with physical documents
20
BK
TP.HCM
Security Services
X.800
“a service provided by a protocol layer of
communicating open systems, which ensures
adequate security of the systems or of data
transfers”
RFC 2828
“a processing or communication service provided
by a system to give a specific kind of protection
to system resources”
21
BK
TP.HCM
Security Services (X.800)
Authentication - assurance that the
communicating entity is the one claimed
Access Control - prevention of the
unauthorized use of a resource
Data Confidentiality –protection of data from
unauthorized disclosure
Data Integrity - assurance that data received is
as sent by an authorized entity
Non-Repudiation - protection against denial by
one of the parties in a communication
22
BK
TP.HCM
Security Mechanism
feature designed to detect, prevent, or recover
from a security attack
no single mechanism that will support all
services required
however one particular element underlies many
of the security mechanisms in use:
▫ cryptographic techniques
hence our focus on this topic
23
BK
TP.HCM
Security Mechanisms (X.800)
specific security mechanisms
▫ encipherment, digital signatures, access
controls, data integrity, authentication exchange,
traffic padding, routing control, notarization
pervasive security mechanisms
▫ trusted functionality, security labels, event
detection, security audit trails, security recovery
24
BK
TP.HCM
Model for Network Security
25
BK
TP.HCM
Model for Network Security
 using this model requires us to:
1. design a suitable algorithm for the security
transformation
2. generate the secret information (keys) used by
the algorithm
3. develop methods to distribute and share the
secret information
4. specify a protocol enabling the principals to use
the transformation and secret information for a
security service
26
BK
TP.HCM
Model for Network Access Security
27
BK
TP.HCM
Model for Network Access Security
 using this model requires us to:
1. select appropriate gatekeeper functions to
identify users
2. implement security controls to ensure only
authorised users access designated information
or resources
 trusted computer systems may be useful to
help implement this model
28
BK
TP.HCM
Cryptography
29
BK
TP.HCM
Cryptography
characterize cryptographic system by:
▫ type of encryption operations used
 substitution / transposition / product
▫ number of keys used
 single-key or private / two-key or public
▫ way in which plaintext is processed
 block / stream
30
BK
TP.HCM
Cryptanalysis
objective to recover key not just
message
general approaches:
▫ cryptanalytic attack
▫ brute-force attack
31
BK
TP.HCM
Cryptanalytic Attacks
ciphertext only
▫ only know algorithm & ciphertext, is statistical,
know or can identify plaintext
known plaintext
▫ know/suspect plaintext & ciphertext
chosen plaintext
▫ select plaintext and obtain ciphertext
chosen ciphertext
▫ select ciphertext and obtain plaintext
chosen text
▫ select plaintext or ciphertext to en/decrypt
32
BK
TP.HCM
More Definitions
unconditional security
▫ no matter how much computer power or time is
available, the cipher cannot be broken since the
ciphertext provides insufficient information to
uniquely determine the corresponding plaintext
computational security
▫ given limited computing resources (eg time
needed for calculations is greater than age of
universe), the cipher cannot be broken
33
BK
TP.HCM
Brute Force Search
always possible to simply try every key
most basic attack, proportional to key size
assume either know / recognise plaintext
Key Size (bits)
Number of Alternative
Keys
Time required at 1
decryption/µs
Time required at 106
decryptions/µs
32
232 = 4.3  109
231 µs
= 35.8 minutes
2.15 milliseconds
56
256 = 7.2  1016
255 µs
= 1142 years
10.01 hours
128
2128 = 3.4  1038
2127 µs
= 5.4  1024 years
5.4  1018 years
168
2168 = 3.7  1050
2167 µs
= 5.9  1036 years
5.9  1030 years
26! = 4  1026
2  1026 µs = 6.4  1012 years
26 characters
(permutation)
6.4  106 years
34
BK
TP.HCM
Summary
have considered:
▫ definitions for:
 computer, network, internet security
X.800 standard
security attacks, services, mechanisms
models for network (access) securityto
Cryptography, cryptanalysis
35
BK
TP.HCM
Self study
Symmetric Cipher Model
Classical Substitution Ciphers
▫
▫
▫
▫
▫
Caesar Cipher
Monoalphabetic Cipher
Playfair Cipher
Polyalphabetic Ciphers
Vigenère Cipher
Cryptanalysis using letter frequencies
36