Network Security and cryptography A note on the

Network Security and cryptography A note on the use of these ppt slides: We’re making these slides freely available to all (faculty, students, readers). They’re in powerpoint form so you can add, modify, and delete slides (including this one) and slide content to suit your needs. They obviously represent a lot of work on our part. In return for use, we only ask the following: q If you use these slides (e. g. , in a class) in substantially unaltered form, that you mention their source (after all, we’d like people to use our book!) q If you post any slides in substantially unaltered form on a www site, that you note that they are adapted from (or perhaps identical to) our slides, and note our copyright of this material. Computer Networking: A Top Down Approach Featuring the Internet, 2 nd edition. Jim Kurose, Keith Ross Addison-Wesley, July 2002. Thanks and enjoy! JFK/KWR All material copyright 1996 -2002 J. F Kurose and K. W. Ross, All Rights Reserved Network Security 1

Security and Cryptography r Security: all issues which make secure communication r r (information transmission, two (multiple) party interaction) over insecure channels. Cryptography: the science and art of manipulating messages to make them secure. Classical cryptographic techniques. Along with the development of communication networks and their broad applications, network security is becoming a more serious problem. Thus, call for modern cryptography. Network Security 2

Network threats and attacks Passive: Eavesdropping Traffic analysis Masquerading Active: Server Client Replay client Client Man-in-middle rep lay Client Modification Client Denial of service Attacker modify Server Network Security 3

Security requirements for transmitting information r Privacy or confidentiality: the information should be readable only by the intended receiver. i. e. , protect the information from eavesdropping. r Integrity: the receiver can confirm that a message has not been altered during transmission, i. e. , protect the information from tampering. r Authentication: any party (sender or receiver) can verify that the other party is who he or she claims to be, i. e. , validate the identity of the other party. r Nonrepudiation: the sender can not deny having sent a given message. i. e. , if a transaction (e. g. , a purchase) has occurred between two parties, the nonrepudiation service can prove that for any party, he/she really performed the transaction him/herself, not by any other person. Network Security 4

Approaches to implementing security Confidentiality: By encryption (and decryption) Sender: encrypts the message using a key and sends the encrypted message. Receiver: decrypts the encrypted message using the same key as the sender’s key or a key derivable from the sender’s key. Integrity: By checksum or hash value/message digest. Sender: computes checksum/hash value/message digest from the message and sends the message along with the checksum/hash value/message digest. Receiver: re-computes checksum/hash value/message digest from received message and compares with the transmitted checksum/hash value/message digest. Both are transmitted message checksum In some sense, it likes error-detection. Problem: the attacker, after intercepting the message, modifies the message, computes the checksum for modified message, and resends them. Solution: keyed checksum/hash value/message digest. Message + checksum key message checksum are transmitted Network Security 5

Approaches to implementing security (cont. ) Authentication: Traditional user ID and password. Modern cryptography based authentication. --Digital signature. Nonrepudiation: Undeniable signature, i. e. , Digital signature + verification protocol + disavowal protocol Network Security 6

Security requirements and their implementation Confidentiality: encryption (and decryption) Integrity: checksum or hash value/message digest or MAC. Authentication: user ID and password or Digital signature. Nonrepudiation: Undeniable signature Availability: Intrusion detection and defense Authorization: Access control Accountability: Log, record, trace, system administration Q: how to defense Replay attack? Timestamps and/or sequence numbers. Network Security 7

Classification of cryptosystems r Secret key systems vs. public key systems r Classical vs. modern m Classical: secret key systems • Shift, Affine, Vigenere, Hill, Permutation (transposition) cipher, Stream cipher m Modern: • Secret key systems – DES, AES, PGM • Public key systems – RSA, El. Gamal, Elliptic Curve Network Security 8

Shift cipher--example r Suppose a plaintext word: cryptography r Change each letter by shifting the letter three position rightward r The cipherword is: FUBSWRJUDSKB Question: if given the above cipherword, how to get original word? Change each letter by shifting the letter three position leftward. This kind of cryptosystem is called “Caesar Cipher” Network Security 9

Secret cryptosystem--DES r Data Encryption Standard (DES) r First version in 1975, developed by IBM. r A type of iterated cipher. r Plaintext block: 64 bits, key: 56 bits, ciphertext block: 64 bits. r Steps: m Initial permutation (IP) m 16 rounds of transformations m Inverse permutation (IP-1) Network Security 10

Our goals: r understand principles of network security: m cryptography and its many uses beyond “confidentiality” m authentication m message integrity m key distribution r security in practice: m firewalls m security in application, transport, network, link layers Network Security 11

Chapter 7 roadmap 7. 1 What is network security? 7. 2 Principles of cryptography 7. 3 Authentication 7. 4 Integrity 7. 5 Key Distribution and certification 7. 6 Access control: firewalls 7. 7 Attacks and counter measures 7. 8 Security in many layers Network Security 12

Friends and enemies: Alice, Bob, Trudy r well-known in network security world r Bob, Alice (lovers!) want to communicate “securely” r Trudy (intruder) may intercept, delete, add messages Alice data channel secure sender Bob data, control messages secure receiver data Trudy Network Security 13

Who might Bob, Alice be? r … well, real-life Bobs and Alices! r Web browser/server for electronic transactions (e. g. , on-line purchases) r on-line banking client/server r DNS servers r routers exchanging routing table updates r other examples? Network Security 14

There are bad guys (and girls) out there! Q: What can a “bad guy” do? A: a lot! m eavesdrop: intercept messages m actively insert messages into connection m impersonation: can fake (spoof) source address in packet (or any field in packet) m hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place m denial of service: prevent service from being used by others (e. g. , by overloading resources) more on this later …… Network Security 15

Chapter 7 roadmap 7. 1 What is network security? 7. 2 Principles of cryptography 7. 3 Authentication 7. 4 Integrity 7. 5 Key Distribution and certification 7. 6 Access control: firewalls 7. 7 Attacks and counter measures 7. 8 Security in many layers Network Security 16

The language of cryptography Alice’s K encryption A key plaintext encryption algorithm Bob’s K decryption B key ciphertext decryption plaintext algorithm symmetric key crypto: sender, receiver keys identical public-key crypto: encryption key public, decryption key secret (private) Network Security 17

Symmetric key cryptography substitution cipher: substituting one thing for another m monoalphabetic cipher: substitute one letter for another plaintext: abcdefghijklmnopqrstuvwxyz ciphertext: mnbvcxzasdfghjklpoiuytrewq E. g. : Plaintext: bob. i love you. alice ciphertext: nkn. s gktc wky. mgsbc Q: How hard to break this simple cipher? : q brute force (how hard? ) q other? Network Security 18

Symmetric key cryptography KA-B plaintext message, m encryption ciphertext algorithm K (m) A-B decryption plaintext algorithm m=K A-B ( KA-B(m) ) symmetric key crypto: Bob and Alice share know same (symmetric) key: K A-B r e. g. , key is knowing substitution pattern in mono alphabetic substitution cipher r Q: how do Bob and Alice agree on key value? Network Security 19

Symmetric key crypto: DES: Data Encryption Standard r US encryption standard [NIST 1993] r 56 -bit symmetric key, 64 -bit plaintext input r How secure is DES? m DES Challenge: 56 -bit-key-encrypted phrase (“Strong cryptography makes the world a safer place”) decrypted (brute force) in 4 months m no known “backdoor” decryption approach r making DES more secure: m use three keys sequentially (3 -DES) on each datum m use cipher-block chaining Network Security 20

Symmetric key crypto: DES operation initial permutation 16 identical “rounds” of function application, each using different 48 bits of key final permutation Network Security 21

AES: Advanced Encryption Standard r new (Nov. 2001) symmetric-key NIST standard, replacing DES r processes data in 128 bit blocks r 128, 192, or 256 bit keys r brute force decryption (try each key) taking 1 sec on DES, takes 149 trillion years for AES Network Security 22

Public Key Cryptography symmetric key crypto r requires sender, receiver know shared secret key r Q: how to agree on key in first place (particularly if never “met”)? r Another problems: n people, if you wants to have a shared key with each of them, n(n-1)/2 keys. public key cryptography r Every person (just) has two keys: public key and private key. r sender, receiver do not share secret key r public encryption key known to all r private decryption key known only to receiver Network Security 23

Public key cryptography + Bob’s public B key K K plaintext message, m encryption ciphertext algorithm + K (m) B - Bob’s private B key decryption plaintext algorithm message + m = K B(K (m)) B Network Security 24

Public key encryption algorithms Requirements: 1 2 . . + need K B( ) and K - ( ) such that B - + K (K (m)) = m B B + given public key KB , it should be impossible to compute private key K B RSA: Rivest, Shamir, Adelson algorithm Network Security 25

RSA: Choosing keys 1. Choose two large prime numbers p, q. (e. g. , 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) = (n) 3. Choose e (with e

RSA: Encryption, decryption 0. Given (n, e) and (n, d) as computed above 1. To encrypt bit pattern, m, compute e mod n (i. e. , remainder when m e is divided by n) c=m 2. To decrypt received bit pattern, c, compute d m = c d mod n (i. e. , remainder when c is divided by n) Magic d m = (m e mod n) mod n happens! c Network Security 27

RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z. encrypt: decrypt: letter m me l 12 1524832 c 17 d c 48196857210675091411825223071697 c = me mod n 17 m = cd mod n letter 12 l Network Security 28

RSA: m = (m e mod n) Why is that d mod n Useful number theory result: If p, q prime and n = pq, then: y y mod (p-1)(q-1) x mod n = x mod n e (m mod n) d mod n = med mod n = m ed mod (p-1)(q-1) mod n (using number theory result above) 1 = m mod n (since we chose ed to be divisible by (p-1)(q-1) with remainder 1 ) = m Network Security 29

Questions about implementing of RSA r How to generate large primes? m Select a random number, test its primality. r How to choose e, such that gcd(e, z)=1 m Euclidean Algorithm r How to computer multiplicative inverse d such that d e mod z =1 m Extended Euclidean Algorithm r How to compute the modular-exponentiation (encryption & decryption) efficiently? m Square-and-multiply Algorithm. r RSA attack: attempt to factor n and how? r RSA uses numbers, therefore need encoding for normal text. Network Security 30

RSA: another important property The following property will be very useful later: - + B B K (K (m)) + = m = K (K (m)) B B use public key first, followed by private key use private key first, followed by public key Result is the same! Network Security 31

Chapter 7 roadmap 7. 1 What is network security? 7. 2 Principles of cryptography 7. 3 Authentication 7. 4 Integrity 7. 5 Key Distribution and certification 7. 6 Access control: firewalls 7. 7 Attacks and counter measures 7. 8 Security in many layers Network Security 32

Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap 1. 0: Alice says “I am Alice” Failure scenario? ? Network Security 33

Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap 1. 0: Alice says “I am Alice” in a network, Bob can not “see” Alice, so Trudy simply declares herself to be Alice Network Security 34

Authentication: another try Protocol ap 2. 0: Alice says “I am Alice” in an IP packet containing her source IP address Alice’s “I am Alice” IP address Failure scenario? ? Network Security 35

Authentication: another try Protocol ap 2. 0: Alice says “I am Alice” in an IP packet containing her source IP address Alice’s IP address Trudy can create a packet “spoofing” “I am Alice” Alice’s address Network Security 36

Authentication: another try Protocol ap 3. 0: Alice says “I am Alice” and sends her secret password to “prove” it. Alice’s “I’m Alice” IP addr password Alice’s IP addr OK Failure scenario? ? Network Security 37

Authentication: another try Protocol ap 3. 0: Alice says “I am Alice” and sends her secret password to “prove” it. Alice’s “I’m Alice” IP addr password Alice’s IP addr OK playback attack: Trudy records Alice’s packet and later plays it back to Bob Alice’s “I’m Alice” IP addr password Network Security 38

Authentication: yet another try Protocol ap 3. 1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it. Alice’s encrypted “I’m Alice” IP addr password Alice’s IP addr OK Failure scenario? ? Network Security 39

Authentication: another try Protocol ap 3. 1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it. Alice’s encryppted “I’m Alice” IP addr password Alice’s IP addr OK record and playback still works! Alice’s encrypted “I’m Alice” IP addr password Network Security 40

Authentication: yet another try Goal: avoid playback attack Nonce: number (R) used only once –in-a-lifetime ap 4. 0: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key “I am Alice” R KA-B(R) Failures, drawbacks? Alice is live, and only Alice knows key to encrypt nonce, so it must be Alice! Network Security 41

Authentication: ap 5. 0 ap 4. 0 requires shared symmetric key r can we authenticate using public key techniques? ap 5. 0: use nonce, public key cryptography “I am Alice” R Bob computes + - - K A (R) “send me your public key” + KA KA(KA (R)) = R and knows only Alice could have the private key, that encrypted R such that + K (K (R)) = R A A Network Security 42

ap 5. 0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) I am Alice R K (R) T K (R) A Send me your public key + K T Send me your public key + K A - + m = K (K (m)) A A + K (m) A Trudy gets - + m = K (K (m)) sends T to Alice m T + K (m) T ennrypted with Alice’s public key Network Security 43

ap 5. 0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) Difficult to detect: q Bob receives everything that Alice sends, and vice versa. (e. g. , so Bob, Alice can meet one week later and recall conversation) q problem is that Trudy receives all messages as well! Network Security 44

Digital Signatures Cryptographic technique analogous to handwritten signatures. r sender (Bob) digitally signs document, establishing he is document owner/creator. r verifiable, nonforgeable: recipient (Alice) can prove to someone that Bob, and no one else (including Alice), must have signed document Network Security 45

Digital Signatures Simple digital signature for message m: r Bob signs m by encrypting with his private key - KB, creating “signed” message, KB(m) Bob’s message, m Dear Alice Oh, how I have missed you. I think of you all the time! …(blah) Bob K B Bob’s private key Public key encryption algorithm K B(m) Bob’s message, m, signed (encrypted) with his private key Network Security 46

Digital Signatures (more) - r Suppose Alice receives msg m, digital signature KB(m) r Alice verifies m signed by Bob by applying Bob’s + - public key KB to KB(m) then checks KB(KB(m) ) = m. + - r If KB(KB(m) ) = m, whoever signed m must have used Bob’s private key. Alice thus verifies that: ü Bob signed m. ü No one else signed m. ü Bob signed m and not m’. Non-repudiation: ü Alice can take m, and signature KB(m) to court and prove that Bob signed m. Network Security 47

Chapter 7 roadmap 7. 1 What is network security? 7. 2 Principles of cryptography 7. 3 Authentication 7. 4 Message integrity 7. 5 Key Distribution and certification 7. 6 Access control: firewalls 7. 7 Attacks and counter measures 7. 8 Security in many layers Network Security 48

Message Digests Goal: fixed-length, easyto-compute digital “fingerprint” r apply hash function H to m, get fixed size message digest, H(m). large message m H: Hash Function H(m) Hash function properties: r many-to-1 r produces fixed-size msg digest (fingerprint) for a message of random length. Network Security 49

Requirements for hash functions r One way m A hash h: X Y, and an element y Y m Find x X, such that h(x)=y. (one way: given message digest h, computationally infeasible to find m such that h = H(m)) r Matching resistant (O(n/2)) m m A hash h: X Y, and an element x X, Find x’ X, such that x’ x and h(x’)=h(x). r Collision resistant (birthday paradox) (O(1. 2 n)) m A hash h: X Y m Find x, x’ X, such that x’ x and h(x’)=h(x). Network Security 50

Internet checksum: poor crypto hash function Internet checksum has some properties of hash function: ü produces fixed length digest (16 -bit sum) of message ü is many-to-one But given message with given hash value, it is easy to find another message with same hash value: message I O U 1 0 0. 9 9 B O B ASCII format 49 4 F 55 31 30 30 2 E 39 39 42 D 2 42 B 2 C 1 D 2 AC message I O U 9 0 0. 1 9 B O B ASCII format 49 4 F 55 39 30 30 2 E 31 39 42 D 2 42 B 2 C 1 D 2 AC different messages but identical checksums! Network Security 51

Long message: encryption and signature r M=m 1 m 2…mr, r RSA systems: public key: (n, b), secret key (n, a) r For encryption: m C=(m 1)b(m 2)b…(mr)b (each computation mod n) m Slow, so select a random k, encrypt M with k and then encrypt k with the public key, i. e. , • C={m 1}k{m 2}k…{mr}k, and EK=(k)b mod n. r For signature: m S=(m 1)a(m 2)a…(mr)a (each computation mod n) m Sign every value which is slow. Network Security 52

Sign long message: M message digest signature Alice verifies signature and integrity of digitally signed message: Bob sends digitally signed message: large message m H: Hash function Bob’s private key + - KB encrypted msg digest H(m) digital signature (encrypt) encrypted msg digest KB(H(m)) large message m H: Hash function KB(H(m)) Bob’s public key + KB digital signature (decrypt) H(m) equal ? Network Security 53

Hash Function Algorithms r MD 5 hash function widely used (RFC 1321) m computes 128 -bit message digest in 4 -step process. m arbitrary 128 -bit string x, appears difficult to construct msg m whose MD 5 hash is equal to x. r SHA-1 is also used. m US standard [NIST, FIPS PUB 180 -1] m 160 -bit message digest Network Security 54

Chapter 7 roadmap 7. 1 What is network security? 7. 2 Principles of cryptography 7. 3 Authentication 7. 4 Integrity 7. 5 Key distribution and certification 7. 6 Access control: firewalls 7. 7 Attacks and counter measures 7. 8 Security in many layers Network Security 55

Trusted Intermediaries Symmetric key problem: Public key problem: r How do two entities establish r When Alice obtains Bob’s Solution: r Diffie-Hellman key agreement Solution: shared secret key over network? r trusted key distribution center (KDC) acting as intermediary between entities r Both called key management public key (from web site, email, diskette), how does she know it is Bob’s public key, not Trudy’s? r Public-key infrastructure. (PKI). Network Security 56

DLP (Discrete Logarithm Problem) Suppose p is an odd prime. m Zp={0, 1, …, p-1} is a finite field. m m Zp* : the set of integers which are relatively prime to p. • {a Zp | gcd(a, p)=1}={1, …, p-1} • it is a cyclic multiplicative group. m m g is a generator of Zp* , • i. e. , Zp* ={g 0 mod p, g 1 mod p, …, g p-2 mod p}. DLP problem • Given any a, compute b=g a (mod p) is easy. • given any b, find an a such that b = g a (mod p) is difficult. m Denoted as a = log g b. Omit: mod p for simplicity. Network Security 57

(Two-party) Diffie-Hellman (DH) key exchange Suppose p and g are publicly known: (b g b mod p) (a g a mod p) ga Bob Alice gb K=(gb) a=g ab K=(ga) b=g ab Anyone else can compute g a g b = g a+b but not g ab a and b are called DH private components. g a and g b are called DH public components. Network Security 58

The “Man-in-the-middle” attack (a, g a) (c, g c) (b, g b) ga Alice K=(gc)a=gac gc gc gb Oscar K=(ga)c=gac K=(gb)c=gbc Bob K=(gc)b=gbc The ways to defend against the “man-in-the-middle” attack: 1. Use permanent DH components, like RSA permanent keys. 2. Perform authentication. Network Security 59

Key Distribution Center (KDC) r Alice, Bob need shared symmetric key. r KDC: server shares different secret key with each registered user (many users) r Alice, Bob know own symmetric keys, KA-KDC KB-KDC , for communicating with KDC KA-KDC KP-KDC KB-KDC KA-KDC KX-KDC KY-KDC KB-KDC KZ-KDC Network Security 60

Key Distribution Center (KDC) Q: How does KDC allow Bob, Alice to determine shared symmetric secret key to communicate with each other? KDC generates R 1 KA-KDC(A, B) Alice knows R 1 KA-KDC(R 1, KB-KDC(A, R 1) ) KB-KDC(A, R 1) Bob knows to use R 1 to communicate with Alice and Bob communicate: using R 1 as session key for shared symmetric encryption Network Security 61

Public key Infrastrucure (PKI) r Public key certificate r Certificate authority r X. 509 certificate structure r CA hierarchy r Policy and protocols about issuing, verification, updating, and revocation of certificate. Network Security 62

Certification Authorities r Certification authority (CA): binds public key to particular entity, E. r E (person, router) registers its public key with CA. m m m E provides “proof of identity” to CA. CA creates certificate binding E to its public key. certificate containing E’s public key digitally signed by CA – CA says “this is E’s public key” Bob’s public key Bob’s identifying information + KB digital signature (encrypt) CA private key K- CA + KB certificate for Bob’s public key, signed by CA Network Security 63

Certification Authorities r When Alice wants Bob’s public key: m gets Bob’s certificate (Bob or elsewhere). m apply CA’s public key to Bob’s certificate, get Bob’s public key + KB digital signature (decrypt) CA public key Bob’s public + key KB + K CA Network Security 64

A certificate contains: r Serial number (unique to issuer) r info about certificate owner, including algorithm and key value itself (not shown) r info about certificate issuer r valid dates r digital signature by issuer Network Security 65

CA Hierarchy – an example • A acquires B certificate following chain: • X<>W<>V<>Y<>Z<> • B acquires A certificate following chain: • Z<>Y<>V<>W<>X<> Notation: CA<> means CA has signed certificate details for User Network Security 66