Transcript document

Princess Nora Bint Abdulrahman University
College of computer and information
sciences
Networks department
Networks Security
(NET 536)
Prepared by Dr. Samia Chelloug
E-mail: [email protected]
Content
1. Basics of computer and network security.
2. Impact of network architecture on network
security.
3. Basics of network design.
4. Firewalls and virtual private networks.
5. Internet and wireless network security.
6. Impact of operating systems models on
network security.
7. How to secure an application?
Textbooks
1. Bahrouz A.Forouzan, ‘Data Commnications
and Networking’, Fourth Edition, 2007.
2. William Stallings, ‘Cryptography and
Network Security: Principles and practice’,
Fifth edition, 2011.
3. Eric Cole, Ronald L.Kruz, James W.Conley,
‘Network Security Fundamentales’, Wiley
2007.
Part 1: Basics of computer and networks
security
Computer and network security
Security attacks
Networks security services
Security trinity
Challenges of computer and network security
Cryptography
Symmetric encryption (DEA)
Asymmetric encryption (RSA )
Basics of computer and network security
• Computer security: involves implementing
measures to secure a single computer
(protecting the ressources stored on that
computer).
• Network security: involves protecting all the
ressources on a network. We must consider not
only the computers on the network but other
network devices and data transmitted across
the network.
Basics of computer and network security
Security attack: any action that comprises the security of
information owned by an organization.
Basics of computer and network security
Passive attack
•Attempts to learn or make use
of information from the system
but does not affect system
ressources.
•The goal is to obtain
information that is being
transmitted.
•Telephone
converstaion,
electronic e-mail message…
•This type of attack is difficult
to detect (it does not involve
any alteration in data).
Active attack
•Attempts to involve some
modification of the data
stream or the creation of a
false stream.
•Based on scanning (using
a search- google or any
traditional method).
Basics of computer and network security
•
Why is computer and network security
important?
1. Protect company assests (hardware and software).
2. Gain competitive advantage: developping and
maintaing effective security measures can provide
an organization with a competitive advantage.
Intercept
E-commerce-server
Your computer
Unauthorized access
Data
Basics of computer and network security
•
Why is computer and network security
important?
3. Keep your job: to secure one’s position within
an organization and to ensure futur career, it
is important to put into place measures that
protect organizational assests.
Basics of computer and network security
•
Network security: can provide one of the five
services: confidentiality, integrity, authentification,
nonrepudiation.
1. Confidentiality: the transmitted message must
make sense to only the intended receiver. To the
others, the message must be garbage. When a
costumer communicates with her bank, she expects
that her communication is totaly confidential.
Basics of computer and network security
2. Integrity: the data must arrive to the receiver exactly
as they were sent.
A request for transferring 100$ should not be changed to
a request for 1000$.
3. Authentification: the receiver needs to be sure of the
sender’s identity.
4.Nonrepudiation : a sender must not be able to deny
sending a message that he or she , in fact, did send.
Basics of computer and network security
• Security trinity:
Network security is based on: prevention, detection,
and response.
Security
Response
• Security trinity should be the foundation for all
security policies.
Basics of computer and network security
-Prevention: in developping network security schemes,
any organization should emphasize preventive measures
over detection and response. It is more efficient and
much more cost effective to prevent a security attack
than to detect or respond to one.
-Detection: once the preventive measures fail,
procedures need to be put in place to detect immediatly
to detect the araised attack.
-Response: we need to develop a plan that identifies the
appropriate response to a security atatck (who is
responsable to execute some actions, what is the
appropriate action ?)
Basics of computer and network security
• Challenges of computer and network security:
1. Security is not simple as it might first appear to the
novice: we need to consider potential attacks .
Security mechanisms typically involve more than a
paticular algorithm.
2. Having designed various security mechanisms, it is
necessary to decide where to use them (physical and
logical sense). What points in a network are certain
secured mechanisms needed? What layer or layers
of our architecture should mechanisms be placed?
Basics of computer and network security
•Cryptography:
•The concept of how to achieve message confidentiality
or privacy has not changed for thounsand of years.
•Message confidentiality is mostly achieved through the
use of cryptography.
•Cryptography is a word with Greek origins, means
‘Secret Writing’.
Definition:
Cryptography is the art of transforming messages to
make them secure and immune to attacks.
Basics of computer and network security
Receiver
Sender
Plaintext
Plaintext
Encryption
(Algorithm, Key)
Decryption
(Algorithm)
Ciphertext
•Plaintext: original message before being transformed.
•Ciphertext: a message which has been transformed.
•Key: a piece of data.
Basics of computer and network security
Symmetric cryptography
Secret key
A single key is used to both encrypt and decrypt a message.
The primary advantage is speed
Can provide confidentiality but also integrity.
The security offered by the encryption is limited by the security
applied to the key.
Basics of computer and network security
•Model for symmetric cryptography:
Message source
x
x
Encryption algorithm
Y=E(k, x)
k
Key source
Decryption
Secured channel
Basics of computer and network security
1. Substitution techniques:
A substitution technique is one in which the letters of a
plaintext are replaced by other letters.
Plaintext
a b c d e f g h i j k l mn o p q r s t u v w x y
d e f g h i j k l mn o p q r s t u v w x y z a b
•Plaintext: cryptography
•Ciphertext: fubswrjudskb
Ciphertext
Basics of computer and network security
1. Substitution techniques:
Let’s assign a numerical number to each letter.
a
b
c
d
e
f
g
h
i
j
k
l
m n
0
1
2
3
4
5
6
7
8
9
10 11 12 13
Algorithm for encryption: for each plaintext letter p,
E(3, p) = (p+3) mod 26.
Decryption algorithm: for each cyphertext c, D(3, c)=
(c-k) mod 26
Problem: someone can try all the 25 possible keys.
Basics of computer and network security
•Transposition techniques:
Perform some sort of permutation on the plaintext.
-Rail fence technique: plaintext is written as a sequence
of diagonals and then read off as a sequence of rows.
Message: ‘ meet me after the toga party’
M
E
E
M
T
A
E
T
F
R
E
H
T
T
A
G
O
P
A
Encrypted message: mematrhtgpryetefeteoaat
R
A
Y
T
Basics of computer and network security
•Cryptography is best understood by breaking it into
four main areas or primitives: random number
generation,
symmetric
encryption,
asymmetric
encryption, and Hash functions.
•Random number generation: a computer algorithm
can never generate completly random numbers.
•There are algorithms to create pseudorandom numbers
(numbers that appear to be random).
•At some point, the algorithm will cycle and will start
seeing the same numbers in the same order (it is very
dangerous because the repeated bit stream makes it
easier to break encryption).
Basics of computer and network security
• XOR: instead of rotating characters, a more modern
approach to cryptography uses the XOR (exclusive
or) function.
• XOR is a binary operation performed on two strings
of bits.
A
0
0
B
0
1
A XOR B
0
1
1
1
0
1
1
0
Basics of computer and network security
•If we use the addition instead of XOR, the resulting
number could be larger than the character set.
•XOR has a very nice inverse property:
A XOR B = C
A XOR C = B
B XOR C = A
•If A is the plaintext, B the key then C is the resulting
ciphertext.
•Decryption can be performed by applying XOR to C
and B
Basics of computer and network security
• Sharing the keys:
• The key is shared before communication begins.
• If Alice wants to communicate with Bob, but she has
never met Bob before. How can Alice and Bob
communicate securely?
• They could create keys and encrypt them so no one
knows the keys.
• Solution 1:
• Use a trusted third party.
Basics of computer and network security
• Sharing the keys:
• Alice create a key to be used to communicate with
Bob. She will encrypt this key using a pre-shared key
that she has with Trent.
• Trent will decrypt and encrypt again with a shared
key with Bob.
E(K1, k2)
E(K1, k3)
• Problem: what if Trent is not really Trent but another
person?
Basics of computer and network security
• Sharing the keys:
• Solution 2: key agreement protocol
• Alice and Bob agree to use a specific prime number
(p) and a base number (g).
• Alice and Bob each choose a secret integer.
• Suppose that the secrete integer choosen by Alice is a
is the secrete integer choosen by Bob is b.
• Alice sends : g a mod p
• Bob sends: g b mod p
• Alice calculates the key = (Message bob) a mod p
• Bob calculates the key = (Message Alice) b mod p
Basics of computer and network security
• Data encryption algorithm (DEA):
Inputs: the plaintext must be 64 bits in the lenght and
the key is 56 bits (8 bits can be used as parity bits).
1. The bits of m are permuted by a fixed initial
permutation to obtain m0= IP(m).
M0 = L0 R0
32 bits 32 bits
2. For i=1:16 Do
Li= Ri-1
Ri= Li-1 XOR f(Ri-1, ki)
Ki: string of 48 bits obtained from the key k
3. Switch left and right then apply the inverse of the
initial permutation.
Basics of computer and network security
Initial permutation
IP(M)
Basics of computer and network security
• Example:
• Find the output of the initial permutation if the input
is:
0000 0080 0000 0002
• The input has only two 1s (bit 25 and 23).
• According to the previous table, bit 25 will becomes
bit 37 of the permutation and bit 63 becomes bit 57 of
permutation.
• The result of the permutation is:
0000 0000 0800 0008
Basics of computer and network security
• R is expanded to E (R) by the following table:
32
8
16
24
1
9
17
25
2
10
18
26
Expansion Permutation
3
4
5
4
11 12 13 12
19 20 21 20
27 28 29 28
5
13
21
29
6
14
22
30
7
15
23
31
• This means that the first bit of E(R) is the 32nd bit of R
8
16
24
32
9
17
25
1
Basics of computer and network security
•Compute E ( R ) XOR Ki and write the result as
B1B2B3B4B5B6B7B8
•Write Bj as b1b2b3b4b5b6
The row of the sbox is given by b1b6 and b2b3b4b5
determines the column.
S-Box 3
10 0 9
13 7 0
13 6 4
1 10 13
14
9
9
0
6
3
8
6
3
4
15
9
15
6
3
8
5
10
0
7
1
2
11
4
13
8
1
15
12
5
2
14
7
14
12
3
11
12
5
11
4
11
10
5
2
15
14
2
8
1
7
12
Basics of computer and network security
• If b3 = 001001 then we check table S3 (row 01,
column 0100).
• The output of S3 is 0011.
• The string C1C2C3C4C5C6C7C8 is permuted
according to the following table:
16 7 20 21 29 12 28 17 1 15 23 26 5 18 31 10
2 8 24 14 32 27 3 9 19 13 30 6 22 11 4 25
• Deriving the subkeys:
• Recall that we start with a 64-bit k.
Basics of computer and network security
• Key permutation can be performed according to this table:
57
10
63
14
49
2
55
6
Key Permutation
41 33 25 17
59 51 43 35
47 39 31 23
61 53 45 37
For i = 1:16
• Ci = LSi (Ci-1)
• Di = LSi (Di -1)
9
27
15
29
1
19
7
21
58
11
62
13
50
3
54
5
42
60
46
28
34
52
38
20
26
44
30
12
LSi: shift one or more places to the left
18
36
22
4
Basics of computer and network security
Number of Key Bits Shifted per Round
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
1 1 2 2 2 2 2 2 1 2 2 2 2 2 2 1
•48 bits are chosen from the 56-bit string CiDi according
to the following table:
14
23
41
44
7
18
52
49
11
12
31
39
24
4
37
56
1
26
47
34
5
8
55
53
3
16
30
46
28
7
40
42
15
27
51
50
6
20
45
36
21
13
33
29
10
2
48
32
Basics of computer and network security
• Asymmetric encryption:
1. Each user generates a pair of keys to be used for the
encryption and decryption of messages.
2. Each user places one of the two keys in a public
register or any accessible file. This is the public key.
3. If Bob wishes to send a confidential message to
Alice, Bob encrypts the message using Alice’s
public key.
4. When Alice receives the message, she decrypts it
using her private key.
Basics of computer and network security
• RSA algorithm:
1. Public key= { e, n}
2. Private key = {d ,n };
Key generation:
M: plaintext
M<n
1. Select p , q both prime, p  q
2. Calculate n = p * q
3. Calculate (n) = (p -1 ) * (q -1)
4. Select integer e gcd ( (n) , e) =1
1 < e > (n)
Basics of computer and network security
5.
Calculate d = e -1 (mod ( (n))
Ciphertext C = Me mod n
Plaintext M = Cd mod n
Example:
•
p = 17 , q = 11
•
n = 178
•
= 160
•
e=7
•
D = 23
•
PU = { 7 , 187 } ; PR = { 23 , 187 }
•
M= 88; C =88 7 mod 187 = 11
•
C = 1123 mod 187 = 88