Transcript CN 2015 5 - SNGCE DIGITAL LIBRARY

COMPUTER NETWORKS
Mr. DEEPAK P.
Associate Professor
ECE Department
SNGCE
1
DEEPAK.P
UNIT 5
2
DEEPAK.P
Network Security
3
DEEPAK.P
Network Security
 Security
 It means protecting the information.
 Communicate securely over an in secure medium
 Three types of security
 1 Computer security
 Protect data stored in a computer from hackers.
 2 Internet security
 Protecting data during its transmission among the
interconnected network.
 3. Network Security - measures to protect data during
their transmission
4
DEEPAK.P
1. Computer Security
 Computer security consists of the provisions and policies
adopted for protecting a computer from
Unauthorized access,
2. Misuse,
3. Modification,
1.
5
DEEPAK.P
2. Internet Security
 Its objective is to establish rules and measures to use against
attacks over the Internet.
 The Internet represents an insecure channel for exchanging
information leading to a high risk of intrusion or fraud
6
DEEPAK.P
3. Network Security
 Computer security consists of the provisions and policies
adopted by a network administrator to prevent and
monitor
1.
2.
3.
4.
5.
7
Unauthorized access,
Misuse,
Modification,
Denial of a computer network
Network-accessible resources.
DEEPAK.P
Network Security Model
8
DEEPAK.P
Network Security Model
Receiver
Message
Secure Message
Secure Message
Security related information
Message

Sender
Secret information
Secret information
9
DEEPAK.P
Network Security Model Design Tasks
10
1.
Generate secret information by using an algorithm
2.
Develop methods to distribute and share secret
information.
DEEPAK.P
Security Services and Goals
11
DEEPAK.P
Security Goals
12
DEEPAK.P
Security Attack on Goals
The three goals of securityconfidentiality, integrity, and
availabilitycan be threatened by security attacks.
13
Security Attack on Goals
Snooping refers to unauthorized access to or
interception of data.
Traffic analysis refers to obtaining some other type of
information by monitoring online traffic.
14
Security Attack on Goals
Modification means that the attacker intercepts the message
and changes it.
Masquerading or spoofing happens when the attacker
impersonates somebody else.
Replaying means the attacker obtains a
of a message sent by a user and later tries to replay it.
copy
Repudiation means that sender of the message might later
deny that she has sent the message; the receiver of the
message might later deny that he has received the message.
15
Security Attack on Goals
Denial of service (DoS) is a very common attack. It may
slow down or totally interrupt the service of a system.
16
Security Services
17
DEEPAK.P
Security Services

Three Aspects of Security
1. Security Services--- Enhances the security
1. Privacy
•
It can be achieved by public or private key
cryptography
2. Authentication
•
The receiver needs to be sure about the senders
identity
3. Integrity
•
Data arriving at receiver is exactly same as that
of sent
18
DEEPAK.P
Security Services
4. Non-Repudiation
• Receiver should be able to prove that message it has
received has come from a specific sender
5. Confidentiality
• Protect data from un authorized disclosure
6. Availability
• The information created and stored by an organization
needs to be available to authorized entities.
19
DEEPAK.P
Confidentiality
 Transmitted info in an insecure channel can only be
understood by desired destination/s
 It must stay unintelligible for the rest
 Ways of protection:
 Dedicated physical links
High cost
Difficult maintenance
 Cipher
 Attack e.g.: obtaining data from sender
20
Integrity
 Ensures that transmitted info was not modified during the
communication process
 Message in destination must be the same as in source
 Ways of protection:
 Digital signature
 Attack e.g.: modifying the destination address in a product
bought on the internet
21
Authenticity
 Ensures the source of the info
 Avoids imitation
 Ways of protection:
Digital signature
2. Challenge
3. Human authentication
Biometric (fingerprint, retina, facial recognition, etc.)
 Attack e.g.: user impersonation in bank transaction
1.
22
Virtual Networks
Non-repudiation:
 Avoid sender’s denial
 Avoid receiver’s denial
 Ways of protection:
 Digital signature
 Attack e.g.: loss of an application form
23
Virtual Networks
Types of Attack
24
DEEPAK.P
Attack
 In computer and computer networks an attack is any attempt
to destroy, expose, alter, disable, steal or gain
unauthorized access to or make unauthorized use of an
asset
 Attacks: Violation of channel security
 Any action that compromises the security of information is
called attack.
 If channel is Non-reliable, attack will happened
25
Types of Attack
26
Types of Attack
Passive
2. Active
 From the word active, it is clear that it is nothing but direct
attack
 Passive attack is indirect attack
1.
 Categories
Interception
2. Interruption
3. Modification
4. Fabrication
1.
27
Types of Attack
28
Passive attacks
 Attacker does not change the content of the transmitted
information
 Objectives:
1. Entity identification
2. Traffic control
3. Traffic analysis
4. Usual data exchange time detection
 Difficult to detect
 Easy to avoid -> encryption
29
Passive Attack
30
Active attacks
 Attacker does change the content of the transmitted
information
 Types:
1. Masked (impostor)
2. Repetitive (intercepted msg, repeated later)
3. Msg modification
4. Service denial
 Difficult to prevent
 Easy to detect -> detection & recovery
31
Active Attack
32
Categories of Active Attack
 Interruption:
 Destruction of a shared resource
 Active
 E.g:
 Destruction of hardware
 Communication breakdown
Receiver
Transmitter
Intruder
33
Virtual Networks
Interruption
 Cutting wires
 Jamming wireless signals
 Dropping of packet by switch
34
DEEPAK.P
Interception
Interception
Receiver
Transmitter
Intruder
35
Virtual Networks
Interception
 Try to tamper (alter) the message for his/her on




36
benefit
Confidentiality attack
Passive
A non-authorized intruder achieves the access to a nonshared resource
E.g:
 Traffic capture
 Obtaining copies of files or programs
DEEPAK.P
Modification
Receiver
Transmitter
Intruder
37
Virtual Networks
Modification
 Try to intercept the message and send the modified
one
 A non-shared resource is intercepted & modified by a nonauthorized host before arriving to its final destination
 Active
 E.g:
 Change in sent data
38
DEEPAK.P
Fabrication
Fabrication (spoofing)
Receiver
Transmitter
Intruder
39
Virtual Networks
Fabrication
 Message may be sent by a stranger by acting as a friend
 Authenticity attack
 Active
 Non-authorized host (impostor) generates a resource that
arrives to the final destination
 E.g:
 Fraud information
40
DEEPAK.P
Malicious programs
41
Security Mechanisms
42
DEEPAK.P
Security Mechanisms
Security mechanism
 It is designed to detect, prevent, recover from security
attack.
 It is classified in to two
 Specific Security mechanism
It is incorporated in to appropriate protocol
layer
 Pervasive security mechanism
 Not specific to any protocol layer

43
DEEPAK.P
Security Mechanisms
44
Virtual Networks
Security Mechanisms
Two techniques are relevant today: cryptography and
steganography.
1.
Cryptography
2.
Steganography
Steganography is the art or practice of concealing a
message, image, or file within another message, image,
or file.
45
Virtual Networks
Cryptography
46
DEEPAK.P
Cryptography
 Way of protecting information against intruders (encryption
& digital signatures)
 Definition
 Science of secret writing, for hiding information from
third parties
 Principle
 Keeping privacy between two or more communication
elements
47
Cryptography
 Cryptography means-Secret writing
 It is a science of transforming messages and make them





48
secure.
Cryptographic techniques allow sender to mask data.
Cryptographic techniques allow receiver to recover data
from masked data.
It is the study of Encryption and Decryption methods.
Encryption—Plain text to cipher text
Decryption—Cipher text to Plain text
DEEPAK.P
Cryptography Model
49
DEEPAK.P
Components in Cryptography
B
A
A
Plain Text
Encryption
Plain Text
Network
Cipher Text
50
DEEPAK.P
Decryption
Cryptography
Transmitter
cipher
51
Receiver
decipher
Cryptography
 Functioning basis
 Altering original msg to avoid the access to the
information of any non-authorized party
 E.g
 Original msg: “This lecture is boring”
 Altered msg: “Wklv ohfwxuh lv erulqj”
 Caesar cipher (K=3)
52
Cryptography
Cipher:
 Mechanism that converts a
plain msg in an unintelligible
one
 Cipher algorithm needs a key
53
Virtual Networks
Decipher:
r Mechanism that converts an
unintelligible msg in the
original one
r Necessary to know the used
cipher algorithm and the key
Encryption& Decryption
Encryption
A Key
Plain Text
Encryption Algorithm
Cipher Text
54
DEEPAK.P
Decryption
A Key
Cipher Text
Decryption Algorithm
Plain Text
Encryption& Decryption
 Encryption and decryption algorithm are public.
 The keys are secret.
 Key is a value or number
55
DEEPAK.P
Classification of Cryptography
 Cryptographic algorithm can be classified in to
 Symmetric key type or secret key
Same key is used by sender and receiver (Key is
shared)
 Public Key type or asymmetric
 Two keys are used
 Public key
 Used for encryption
 Available to public

56
DEEPAK.P
Cryptography
57
Symmetric Key
Cryptography
58
DEEPAK.P
Symmetric Key
Features:
 Private key
 Transmitter & Receiver share the same key
Transmitter
cipher
59
Virtual Networks
Receiver
decipher
Privacy using private key cryptography
60
DEEPAK.P
Symmetric Key
Algorithms:
 DES, 3DES, RC5, IDEA, AES
 Requirements:
 Neither plaintext nor the key may be extracted from the msg
 The cost in time & money of obtaining the information must be higher than the
value of the obtained information
 Algorithm strength:
 Internal complexity
 Key length
61
Symmetric Key
Accomplished objectives:
 Confidentiality
 Integrity
 Authentication
 Non repudiation
62
Symmetric Key
Advantages:
 Algorithm execution rate
 Best method to cipher great pieces of information
Disadvantages:
 Distribution of private key
 Key management
 The number of used keys is proportional to the number of used
secure channels
63
Symmetric key Types
64
DEEPAK.P
Symmetric key Cryptography
B
A
A
Plain Text
Encryption
Plain Text
Network
Cipher Text
Shared key
65
DEEPAK.P
Decryption
Symmetric key Cryptography
 Also called single key/Conventional
 Two types
Traditional cipher
I.
Mono alphabetic cipher
Caesar cipher
One time pad
Play fair
Hill
Poly Alphabetic
1.
2.
3.
4.
5.
6.
a)
66
DEEPAK.P
Vigenere cipher
Symmetric key Cryptography
II. Modern Ciphers
 Simple Modern cipher (Stream)
 XOR
 Rotation
 Substitution Cipher
 Transposition cipher
 Modern cipher( Block)
 DES
 Triple DES
 AES
67
DEEPAK.P
Ceasar Cipher
 Replacing each letter of the alphabet to the letter
specified the key value.
 It is also called shift cipher.
 Eg.
 Key=3
 Plain text =hello
 Cipher text=khoor
68
DEEPAK.P
Ceasar Cipher
69
DEEPAK.P
Poly alphabetic Substitution
 This is an improvement over the Caesar cipher
 Here the relationship between a character in the plaintext
and a character in the cipher text is always one-to-many.
 Example of poly alphabetic substitution is the Vigenere
cipher.
 In this case, a particular character is substituted by different
characters in the cipher text depending on its
position in the plaintext.
70
DEEPAK.P
Poly alphabetic Substitution
71
DEEPAK.P
Transpositional Cipher
 The transpositional cipher, the characters remain unchanged but
their positions are changed to create the ciphertext.
 The characters are arranged in two-dimensional matrix and
columns are interchanged according to a key is shown in the
middle portion of the diagram.
 Transpositional cipher is also not a very secure approach.
 The attacker can find the plaintext by trial and error utilizing
the idea of the frequency of occurrence of characters.
72
DEEPAK.P
Transpositional Cipher
73
DEEPAK.P
Block Cipher
 Block ciphers use a block of bits as the un it of encryption and
decryption.
 To encrypt a 64-bit block, one has to take each of the 2^64
input values and map it to one of the 2^64 output values.
 The mapping s hould be one-to-one.
74
DEEPAK.P
Block Cipher
75
DEEPAK.P
Data Encryption Standard (DES)
76
DEEPAK.P
Data Encryption Standard (DES)
77
DEEPAK.P
Data Encryption Standard (DES)
 One example of the block cipher is DES
78
DEEPAK.P
Data Encryption Standard (DES)
79
DEEPAK.P
Triple DES
80
DEEPAK.P
Asymmetric Key
Cryptography
81
DEEPAK.P
Asymmetric Key
Features:
 Public Key
 Every party has got a pair of keys (private-public)
Transmitter
cipher
82
Receiver
decipher
Asymmetric Key
Features:
 Each participant has a secret key (private key)
 To send a message


83
Encrypt with public key
To decrypt, decrypt using a private key
Privacy using public key cryptography
84
DEEPAK.P
Asymmetric Key
Algorithms:
1. Diffie-Hellman,
2. RSA,
3. DSA
 The cost in time & money of obtaining the information must be
higher than the value of the obtained information
 For an public-key encrypted text, there must be only a
private key capable of decrypt it, and viceversa
85
Asymmetric Key
Accomplished objectives:
 Confidentiality
 Integrity
 Authentication
 Offers very good mechanisms
 Non repudiation
86
Virtual Networks
Asymmetric Key
Advantages:
 No problems for key distribution -> public key
 In case of the steal of a user’s private key, only the msgs sent to
that user are involved
 Better authentication mechanisms than symmetric systems
Disadvantages:
 Algorithm execution rate is high
87
Asymmetric key Types
88
DEEPAK.P
Public key Cryptography
 Most common Algorithms are
RSA
2. Diffie-Helman
1.
89
DEEPAK.P
Public key Cryptography
B
A
A
Plain Text
Encryption
Plain Text
Network
Decryption
Cipher Text
Public key
90
DEEPAK.P
Private key
RSA Algorithm
 It is by the first three letters of 3 developers (Rivest,
Shamir, Adelman)
 It is a public key crypto system
 It is a very strong algorithm
 Disadvantage
 Key requires at least 1024 bits for good security
91
DEEPAK.P
RSA Algorithm
 Public key algorithm that performs encryption as well as
decryption based on number theory
92
DEEPAK.P
RSA Algorithm Steps
 Choose two large prime numbers (P,Q)
 Compute n=P*Q
 Compute Z=(P-1)*(Q-1)
 Choose a number relatively prime to Z and call it D
 Find E such that E*D=1 mod Z
 Encryption
 To encrypt a message P,
 Compute
C=Pe (mod (n))
93
DEEPAK.P
RSA Algorithm Steps
 Decryption
 To Decrypt the message C,
 Compute
P=Cd (mod n)
 To perform encryption we need e&n
 To perform Decryption we need d&n
 Public key consists of Pair(e&n)
 Private key consists of Pair (d&n)
94
DEEPAK.P
RSA
95
DEEPAK.P
Digital Signature
96
DEEPAK.P
Digital Signature
 A digital signature is a mathematical scheme for
demonstrating the authenticity of a digital message or
document.
 By message authentication we mean that the receiver should
be sure about sender’s identity.
 A digital signature is the electronic signature (Certificate)
duly issued by the Certifying Authority that shows the
authenticity of the person signing the same.
97
DEEPAK.P

Digital Signature Process
98
DEEPAK.P
Authentication, Integrity and Non repudiation using
Digital Signature
 Digital Signature provides the three security services such as
Authentication, Integrity and Non-repudiation.
 There are two option for Digital Signature:
Signing the entire document
2. Signing the digest (sample of the message)
1.
99
DEEPAK.P
Signing the Entire Document
 In the first case the entire document is encrypted using
private key of the sender and at the receiving end it is
decrypted using the public key of the sender.
 For a large message this approach is very inefficient.
100
DEEPAK.P
Signing the Entire Document
 In the second case a miniature version of the message,
known as digest , is encrypted using the private key of the
sender and then the signed digest along with the message is
sent to the receiver
101
DEEPAK.P
Digital Signature Using Hash function
102
DEEPAK.P
Digital Signature
103
DEEPAK.P
Digital Signature
104
DEEPAK.P
Firewall
105
DEEPAK.P
Firewalls
 To accomplish the security it is necessary to perform user
authentication and access control to protect the networks
from unauthorized traffic. This is known as firewalls
 Firewall system is an electronic security guard and electronic
barrier at the same time.
 It protects and controls the interface between a private network
and an insecure public network
 A firewall is a device (or software feature) designed to control
the flow of traffic into and out-of a network.
106
Firewalls
107
Firewalls
 In general, firewalls are installed to prevent attacks.
 A firewall can be hardware or software
 It is responsible for partitioning a designated area such that
any damage on one side cannot spread to the other side.
 Ex. Some routers come with firewall functionality
 ipfw, ipchains, pf on Unix systems, Windows XP and Mac
OS X have built in firewalls
108
Firewalls
Internet
DMZ
Web server, email
server, web proxy,
etc
Firewall
Firewall
Intranet
109
Firewalls
 The firewalls can be broadly categorized into the following
three types:
1.
2.
3.
Packet Filters
Application-level Gateways
Circuit-level Gateways
 Packet Filters or Packet filtering router applies a set of rules to
each incoming IP packet and then forwards or discards it.
 Packet filter is typically set up as a list of rules based on
matches of fields in the IP or TCP header.
110
Firewalls
 Used to filter packets based on a combination of features
 These are called packet filtering firewalls
 Ex. Drop packets with destination port of 23 (Telnet)
111
Firewalls
 Application level gateway, also called a Proxy Server acts as a
relay of application level traffic.
 Users contact gateways using an application and the request is
successful after authentication.
112
Firewalls
 Circuit-level gateway can be a standalone or a specialized
system.
113
Components in a Active Firewalls
114
Components in a Active Firewalls
115
IP security(IP.sec)
116
DEEPAK.P
Ip.sec.
 Internet Protocol Security (IPsec) is a protocol suite for
securing Internet Protocol (IP) communications by
authenticating and encrypting each IP packet of a
communication session.
 IPsec includes protocols for establishing mutual
authentication between agents at the beginning of the
session and negotiation of cryptographic keys to be used
during the session.
 The Microsoft implementation of IPSec is based on standards
developed by the Internet Engineering Task Force (IETF)
IPSec working group.
117
Ip.sec.
118
Ip.sec.
119
Ip.sec.
 The IP security architecture uses the concept of a security
association as the basis for building security functions into
IP.
 A security association is simply the bundle of algorithms and
parameters (such as keys) that is being used to encrypt and
authenticate a particular flow in one direction.
 IPsec supports two encryption modes: Transport and
Tunnel.
 Transport mode encrypts only the data portion (payload) of
each packet, but leaves the header untouched.
120
Ip.sec.
 In tunnel mode, the entire IP packet is encrypted and/or
authenticated.
 It is then encapsulated into a new IP packet with a new IP
header.
 On the receiving side, an IPSec-compliant device decrypts
each packet
 Tunnel mode is the more secure mode..
121
Ip.sec.
122
Ip.sec. Architecture
123
Ip.sec. Vs TLS
124
Pretty Good Privacy(PGP)
125
DEEPAK.P
PGP
 Pretty Good Privacy or PGP is a popular program used to
encrypt and decrypt email over the Internet, as well as
authenticate messages with digital signatures and encrypted
stored files.
 Developed by Phil Zimmerman in 1995.
 There are two main schemes which are especially designed to
provide confidentiality and authentication for electronic
mail systems. These are:
PGP(Pretty Good Privacy)
2.
S/MIME(Secure/Multipurpose Internet Mail
Extension)
1.
126
PGP
 PGP combines the best available cryptographic algorithms
to achieve secure e-mail communication.
 It is assumed that all users are using public key
cryptography and have generated a private/public key pair.
 Either RSA (with RSA digital signatures) or El Gamel (with
DSA) can be used.
 All users also use a symmetric key system such as triple
DES or Rijndael.
127
PGP
 PGP is a type of Public Key cryptography.
 It is a computer program that encrypts (scrambles) and decrypts
(unscrambles) data.
 When you begin using PGP , it generates two keys that belong
uniquely to you.
 One PGP key is Private and stays in your computer, while
the other key is Public.
 You give this second key to your correspondents
128
PGP
 PGP is similar to your telephone number.
 You can advertise your Public Key the same way as you do
your telephone number.

 If I have your telephone number, I can call you, however I
cannot answer your telephone.
 Similarly, if I have your Public Key, I can send you mail,
however I cannot read your mail.
129
PGP
130
PGP Encryption
 PGP encryption uses a serial combination of hashing, data
compression, symmetric-key cryptography, and finally publickey cryptography.
131
PGP Decryption
 PGP encryption uses a serial combination of hashing, data
compression, symmetric-key cryptography, and finally publickey cryptography.
132
PGP
PGP offers 5 services:
1.
Authentication
2.
Confidentiality
3.
Compression
4.
E-mail compatibility
5.
Segmentation
133
SSL/TLS
134
DEEPAK.P
SSL/TLS
 Transport Layer Security (TLS) and its predecessor, Secure
Sockets Layer (SSL), are cryptographic protocols designed to
provide communications security over a computer network.
 A popular implementation of public-key encryption is the
Secure Sockets Layer (SSL).
 Originally developed by Netscape, SSL is an Internet
security protocol used by Internet browsers and Web servers
to transmit sensitive information.
 SSL has become part of an overall security protocol known
as Transport Layer Security (TLS).
135
SSL/TLS
 TLS is the new name for SSL.
 SSL and TLS are protocols that aim to provide privacy and
data integrity between two parties
 SSL version 3.0 has been implemented in many web browsers
 TLS can be viewed as SSL v3.1
136
SSL Architecture
137
SSL Architecture
 SSL Handshake Protocol
 negotiation of security algorithms and parameters
 key exchange
 server authentication and optionally client authentication
 SSL Record Protocol
 fragmentation
 compression
 message authentication and integrity protection
 encryption
 SSL Alert Protocol
 error messages (fatal alerts and warnings)
 SSL Change Cipher Spec Protocol
138
 a single message that indicates the end of the SSL handshake