Network Security r Taken mostly from Network and

Network Security r Taken mostly from “Network and Internetwork Security” William Stallings 1995 r Overview r Conventional encryption r Confidentiality using conventional encryption r Public-Key Cryptography r Authentication and Digital Signatures r Intruders r Practice Network Security 1

Overview r What do we want to achieve? Bob Alice Trudy Network Security 2

Security Services r Confidentiality r Authentication r Integrity r Non-repudiation r Access Control r Availability Network Security 3

Confidentiality r The data must be hidden m Trudy cannot see the message m Trudy cannot seen that a message was sent r How long must confidentiality be preserved? Network Security 4

Authentication r Are the receiver and sender who they claim to be? m Am I really talking to Bob? m Is that really Alice telling me that she no longer loves me? Network Security 5

Integrity r Ensure the entire message is transmitted, and nothing in addition to the entire message m Alice says “Please buy 100 shares of Nortel” m Bob see “Please buy 100, 000 shares of Nortel” Network Security 6

Non-Repudiation r After the message is transmitted and received, neither party can deny that fact m “No, really, I certainly did not order 100, 000 shares of Nortel at $125 per share last March. ” r Note: Alice and Bob do not necessarily trust each other! Network Security 7

Access Control r Control access to hosts and applications m Everything looks like its from Alice, but it turns out that Trudy has broken into Alice’s machine and successfully emulated Alice Network Security 8

Availability r The communication channel must remain open m “That’s odd, I haven’t heard from Alice in three weeks, and she usually calls me twice a day. ” Network Security 9

Security Threats r Passive Attacks m Content observation • “I wonder want people would think if they knew what Alice and Bob were planning? ” m Traffic Analysis • “Gee, the American third battalion was transmitting more and more information, and then they suddenly ceased all communication. ” Network Security 10

Interruption r Trudy prevents Alice from talking to Bob Alice Trudy Network Security 11

Interception r Trudy overhears Alice’s message Bob Alice Trudy Network Security 12

Modification r Trudy changes Alice’s message Bob Alice Trudy Network Security 13

Fabrication r Trudy send a message claiming to be from Alice Bob Alice Trudy Network Security 14

Conventional Encryption Model r AKA: m Symmetric m shared-key m single-key m private-key r Plaintext: the original message r Ciphertext: the encrypted message r Secret key: the key used to encrypt and decrypt the message Network Security 15

Model X? Cryptanalyst K? Message Source X Encrypt Insecure Channel Y X decrypt Message Destination Secret Key Secure Channel Network Security 16

Conventional Encryption Model r Message Source: X = [X 1, X 2, … XM] r M elements are over some finite alphabet r Y = [Y 1, Y 2, … YN] r Y = EK(X) r X = DK(Y) Network Security 17

The Opponent: Cryptanalyst r Kerchoff’s Principle m The security of a cryptosystem must not depend on keeping the algorithm secret r Types of Attack: m Ciphertext only m Known plaintext m Chosen plaintext Network Security 18

Degree of Security r Unconditionally secure m The ciphertext does not contain sufficient information to uniquely determine the corresponding plaintext m One time pad r Computationally secure m The cost of breaking the cipher exceeds the value of the encrypted information m The time required exceeds the useful lifetime of the information Network Security 19

Classical Encryption Techniques r Steganography: m “Covered Writing” m Examples: • • • Character marking Invisible ink Pin punctures Use low-order bits of image encoding Communication frequency Etc. m Drawbacks: • Fails Kerchoff’s principle! Network Security 20

Steganography r (a) Three zebras and a tree. (b) Three zebras, a tree, and the complete text of five plays by William Shakespeare. Network Security 21

Cryptography r Operation types: m Substitution v. Transposition r Number of keys m 1: private key, symmetric, secret- or single-key m 2: public key, asymmetric, two-key r Data processing m Block v. Stream Network Security 22

Substitution r Caesar r Monoalphabetic r Multi-letter r Polyalphabetic m One-time pad Network Security 23

Caesar Cipher m Meet me after the toga party m Phhw pd diwhu wkh wrjd sduwb r C = E(p) = (p+k)mod(26) r For the above, k = 3 r p = D(C) = (C-k)mod(26) Network Security 24

Caesar Security r Vulnerable to brute-force attack m Algorithms are known m 25 possible keys m Language of plaintext is known Network Security 25

Monoalphabetic Ciphers r Use arbitrary substitution r Key is then 26 character mapping r 26! (>4 x 1026) possible keys r (DES has only 256 or >7 x 1016 keys) r So what is m UZQSOVUOHXMOPVGP … ? Network Security 26

How Secure is Monoalphabet? r Vulnerable to letter-frequency analysis r In English: m E 12. 75% m T 9. 25% m R 8. 50% m Etc. r Based on frequency of letters in ciphertext, make tentative assignment r Then move to digraph and trigraph frequency analysis m E. g. “t? e” is probably “the” Network Security 27

Better Monoalphabets r Use homophones m E. g. use several different mappings for the letter “e” m This eliminates the single-letter frequency information m But it doesn’t eliminate digraph, trigraph, etc. frequency information r The basic problem is that the ciphertext is maintaining the structure of the original Network Security 28

Multi-letter encryption r Monoalphabet: E(l): L -> L E(l 1 l 2 … l. N): LN -> LN r Multiletter: m Playfair algorithm: • Given a key “monarchy” create the following table M C E L O H F P N Y G Q A B I/J S R D K T U V W X Z Network Security 29

Multi-letter encryption r Encode letter pairs as follows: m Letter pairs with duplicate letters are separated by a filler letter m If letters are on the same row, use the letter to the right m If letters are in the same column, use the letter below m Otherwise, form a square and use the other corners r Thus: “bad grade” first becomes m “ba” “’dg” “ra” “de” r And then: “IB” “YK” “MR” “KC” Network Security 30

Is Playfair Any Good? r Digraphs are harder to identify r Considered unbreakable for a long time m Used by British in WWI m US Army in WWII r Actually relatively easy to break m Letter frequencies are still far from equal Network Security 31

Polyalphabetic Ciphers r Use a set of monoaphabetic ciphers r Key determines which cipher is used for which letter r Vigenere cipher ma is shift by 0, b is shift by 1, etc. m Now use a keyword repetitively to determine the encoding m Thus “deceptive” encoding “wearediscovered” produces “ZICVTWQNGRZGVTW” Network Security 32

Breaking Polyalphabetic Ciphers r First determine key length m E. g. sequence VTW is repeated at length 9 • Therefore length is either 3 or 9 r Then we have a key length monoalphabetic ciphers r Use autokey system: m The key specifies the initial encoding m The remainder is determined by the message m Problem: key and plaintext share same letter frequency distribution Network Security 33

One-Time Pad r Vernam (1918) m ci = pi XOR ki r Theoretically unbreakable m Why? m Because if we have a message of length N, and we try all possible keys, we will simply generate all possible messages of length N. m Thus: “Attack at dawn” could also decode to “Eat a Big Mac!” using brute force attack Network Security 34

One-Time Pad r So why not use it everywhere? m Key size m Key distribution m Correctly generating random key m Must destroy pad after use • Why? Network Security 35

Transposition r Reorder letter sequence m Rail fence m E. g. “meet me at the toga party” with rail fence of length 4 becomes ME E T MMTOAEEHGREAEATTTTPY ME A T T HE T OG A P AR TY r Trivial to cryptanalyze Network Security 36

Transposition r Improvements m Use a key to permute the columns m Thus using key 4312 to permute the columns, we get • TTTPYEAEATMMTOAEEHGR m Doesn’t help much, because the letter frequencies remain the same and the structure is still fairly close to the original m Look at the letter positions: • 4 8 12 16 20 3 7 11 15 19 1 5 9 13 17 2 6 10 14 18 Network Security 37

Multistage Transposition r Re-encode the ciphertext using the same (or a different!) key m Thus, if we re-encode using the 4312 key, we get PEMERTAMAGTYATETETOH m Which has the letter positions • 16 11 5 2 18 12 7 1 17 14 4 20 15 9 6 8 3 19 13 10 P E M E 4 8 12 16 20 3 7 11 15 19 1 5 9 13 17 2 E H G R 6 10 14 18 T Y A T T E T O T A M A Network Security 38

Rotor Machines r Single rotor is a monoalphabet that rotates by one after each key input r Thus equivalent to polyalphabet with period equal to size of alphabet r Concatenate rotors, and rotate at different speeds m Thus inner rotor rotates one per key press m Next rotor rotates one per inner rotor rotation m For three rotors, 26 x 26 = 17, 576 different substitution alphabets before repetition Network Security 39

Data Encryption Standard (DES) r FIPS PUB 46 (1977) r See http: //www. itl. nist. gov/fipspubs/fip 46 -2. htm r Encrypts 64 -bit blocks using a 56 -bit key r Same steps, same key to decrypt r Started as project LUCIFER, used 128 -bit key, for Lloyd’s of London r Reduced key size to 56 bits to fit on chip r Two complaints: m m Key size reduction S-box structure was classified Network Security 40

64 -bit plaintext 56 -bit key Initial Permutation Permuted Choice 1 Iteration 16 K 16 Permuted Choice 2 Left Circular Shift 32 -bit swap Inverse Initial Permutation 64 -bit ciphertext Network Security 41

Operations r Initial Permutation and Inverse Initial Permutations follow the rule: m. X = IIP(IP(X)) r They probably add nothing to the strength of DES Network Security 42

Li = R i-1 Ri = Li-1 (+) f(Ri-1, Ki) Network Security 43

Dealing With Keys First Permuted choice 1 and 2 and the left-shifts are specified by the standard. Permuted choice 2 throws away bits 9, 18, 22, 25, 38, 43, and 54 yielding a key of length 48 bits. Network Security 44

A Single Iteration of f(R, K) E = Expansion P = Permute S = S Boxes (Each of these is specified by the standard) Network Security 45

DES Decryption r Runs the encryption process in the same way, except the sequence of 48 -bit keys (K 1 to K 16) is applied in the reverse order m Recall • Li = Ri-1 • Ri = Li-1 (+) f(Ri-1, Ki) m Thus • Ri-1 = Li • Li-1 = Ri (+) f(Ri-1, Ki) = Ri (+) f(Li, Ki) Network Security 46

Avalanche Effect r A small change in plaintext or key should cause a large change in ciphertext r DES exhibits this well m. A single bit change in the key or plaintext results in around half of the ciphertext bits changing Network Security 47

Concerns about DES r 256 possible keys r Brute-force attack with special-purpose hardware (costing around $250, 000) EEF cracked DES encrypted text in 56 hours (1998) m Note: this would require knowledge of the plaintext nature so as to automate detection of a valid output Network Security 48

Differential Cryptanalysis r First reported in open literature in 1990 r Chosen plaintext attack where the effect of the difference between plaintext choices is observed through the DES operation, to enable probably key determination r DES is fairly secure against such attacks due to the S-Boxes and the permutation after each iteration r Requires 247 rounds with 247 chosen texts Network Security 49

Modes of Operation r Electronic Codebook (EBC) m Each block encoded independently r Cipher Block Chaining (CBC) m XOR each block of plaintext with ciphertext of previous block m At decryption, XOR ciphertext of previous block with decrypted output m Need initialization vector first block Network Security 50

Cipher Block Chaining Mode r Cipher block chaining. (a) Encryption. (b) Decryption. Network Security 51

Modes of Operation r Cipher Feedback (CFB) m Used for streaming data – j bits at a time m Start with initialization vector and encrypt m Select j bits of output • This is XORed with the plaintext for transmission • This j-bit ciphertext is shifted into the IV for computing the next j-bit output • Decryption is the same process r Output Feedback (OFB) m Almost same as CFB, but don’t XOR before shifting for next encryption Network Security 52

Cipher Feedback Mode r (a) Encryption. (c) Decryption. Network Security 53

Stream Cipher Mode r A stream cipher. (a) Encryption. (b) Decryption. Network Security 54

Counter Mode r Encryption using counter mode. Network Security 55

Triple DES r DES maps 264 -> 264 r How do we know that C = Ek 1(Ek 2(P)) is not equivalent to C = Ek 3(P)? m Because for each key we must get a unique mapping, where there are (264)! Possible permutations of input blocks m (Note, this is evidence, not proof ; Proof came in 1992) Network Security 56

So Why Not Double DES? r Meet in the middle attack r Given known plaintext/ciphertext pair: m Encrypt P for all possible keys K 1 m Decrypt C for all possible keys K 2 m Check for matches. These are possible keys • Check against another plaintext/ciphertext pair r Requires O(256) work r Also requires O(256) space! Network Security 57

Triple DES r C = Ek 1(Dk 2(Ek 1(P))) r Why this way? m Because if K 1 = K 2 then it reduces to DES r 112 -bit key r No known practical attack on Triple DES Network Security 58

So What Do We Do With DES? r What do we encrypt? r Where do we encrypt? r How do we distribute keys? Network Security 59

What and Where? r The network is generally considered to be untrustworthy m Broadcast LANs • Ethernet • 802. 11 m Physical penetration to wiring closet m Interception of Microwave and Satellite communication m Separate authority domains Network Security 60

Link v. End to End r Link: m How? • Encrypt all link-layer traffic • Decrypt and re-encrypt at routers to enable forwarding m Advantages • Network addresses (thus ultimate destination) is not visible • One key per link m Disadvantages • Every network provider must provide it – But can still see message in the clear at the router • Every customer gets it, whether they need it or not Network Security 61

End-to-End Encryption r How? m Source encrypts m Final destination decrypts r Advantages m Only those who need it use it m Intermediate routers cannot decrypt m User authentication m Easy to change encryption scheme r Disadvantages m Anyone can see the final destination m One key per communicating pair m Key distribution is more problematic r What layer? Network? Transport? Application? Network Security 62

Key Distribution r If I always use the same key, then if that key is compromised, all prior communication is compromised m Need frequent key exchange m System is only as secure as key distribution scheme Network Security 63

Basic Schemes r Alice gives Bob the key r Alice gives her faithful friend Trish Trudy Peterson (TTP) the key to deliver to Bob r Alice uses the previous key to encrypt the new key and send it to Bob r Alice and Trish share a key KA. Bob and Trish share a key KB. Trish delivers a key K to Alice and Bob allowing them to communicate Network Security 64

Key Distribution Centre (KDC) r Alice tell Trish that she wishes to talk to Bob r r (encrypted with KA) Trish responds with a KA-encrypted message containing K, Time, and a KB-encrypted copy of K, Alice’s identity, and the Time Alice sends Bob the KB-encrypted message together with her K-encrypted message Bob decrypts the KB-encrypted messages, extracts K and can then decrypt Alice’s message The time information is verified to ensure that this is not a replay-attack Network Security 65

KDC in Pictures KDC 1 Alice 2 3 Bob 4 5 Network Security 66

How do I scale a KDC? r Hierarchical Key Control m Each KDC is responsible for a small domain m KDCs the communicate using the next level in the hierarchy 2 Alice’s KDC Master KDC 3 4 5 Bob’s KDC 1 Alice 6 Bob Network Security 67

Public Key Cryptography symmetric key crypto r requires sender, receiver know shared secret key r Q: how to agree on key in first place (particularly if never “met”)? m Though this same problem appears to some extent in public-key cryptography public key cryptography r radically different approach [Diffie. Hellman 76, RSA 78] r sender, receiver do not share secret key r encryption key public (known to all) r decryption key private (known only to receiver) Network Security 68

Public key cryptography Figure 7. 7 goes here Network Security 69

Public Key Requirements r Computationally easy to m generate e. B, d. B m compute e. B(M) m compute d. B(e. B(M)) r Computationally infeasible to compute m d. B given e. B and e. B (M) for an arbitrary number of messages M m M given e. B and e. B(M) r Nice to have m e. B(d. B(M)) = d. B(e. B(M)) = M Network Security 70

Diffie-Hellman Key Exchange r Given a large prime, q, and r < q is r primitive root of q mr is a primitive root iff for all z < q, rz mod(q) are distinct integers r Then, Alice selects private ka < q and calculates public pa = rkamod(q) r Likewise, Bob selects private kb < q and calculates public pb = rkbmod(q) r Public keys are exchanged Network Security 71

Session Key r Session key K = (pb)ka mod(q) = (pa)kb mod(q) r Proof m (pb)ka mod(q) = (rkbmod(q))ka mod(q) = (rkb x ka mod(q) = (rka)kb mod(q) = (rkamod(q))kb mod(q) = (pa)kb mod(q) Network Security 72

Comments on Diffie-Hellman r Security comes from the fact that computing discrete logarithms is hard m That is, given knowledge of q, r and rkmod(q) it is not feasible to compute private key k r Do not need to use the same value for private key every time r Vulnerable to (wo)man-in-the-middle attack Network Security 73

Rivest-Shamir-Adelman (RSA) 1. Choose two large prime numbers p, q. (e. g. , 1024 bits each) 2. Compute n = pq, z = (p-1)(q-1) 3. Choose e (with e

RSA: Encryption, decryption 0. Given (n, e) and (n, d) as computed above 1. To encrypt bit pattern, m, compute e mod n (i. e. , remainder when m e is divided by n) c=m 2. To decrypt received bit pattern, c, compute d m = c d mod n (i. e. , remainder when c is divided by n) Observe: m = (m e mod n) d mod n Network Security 75

RSA example: Bob chooses p=5, q=7. Then n=35, z=24. e=5 (so e, z relatively prime). d=29 (so ed-1 exactly divisible by z. encrypt: decrypt: letter m me l 12 1524832 c 17 d c 48196857210675091411825223072000 c = me mod n 17 m = cd mod n letter 12 l Extension: Use RSA to exchange keys, Use DES to converse Network Security 76

Computational Aspects r Note that when we compute cdmod(n) we do not need to do the full computation of cd and the divide by n to see the remainder r Why? r cdmod(n) = c 2 c(d-2)mod(n) = c 2 mod(n)c(d-2)mod(n) r Better: cdmod(n) = (c 2)(d/2)mod(n) = (c 2 mod(n))(d/2)mod(n) Network Security 77

RSA: Why: m = (m e mod n) d mod n Number theory result: If p, q prime, n = pq, then y y mod (p-1)(q-1) x mod n = x mod n e (m mod n) d mod n = med mod n = m ed mod (p-1)(q-1) mod n (using number theory result above) 1 = m mod n (since we chose ed to be divisible by (p-1)(q-1) with remainder 1 ) = m Network Security 78

Key Management r Distribution of public keys m How to distribute m How to revoke r Use of public-keys to distribute secret keys Network Security 79

Distribution of Public Keys r Public announcement r Key authority m Certificates m Web of Trust Network Security 80

Public Announcement r Send the key to other participants r Append public key on all e-mail (PGP) r Place on web-page r Problem: m Forged announcement Network Security 81

Key Authority r Have a publicly available directory containing a name/public key database m Keys must be registered with authority securely m Key replacement by the same secure mechanism r Alice requests Bob’s public key from directory m Directory responds with encrypted (using directory’s private key) copy of Bob’s key, the original request, and the original message timestamp m Bob’s key can be kept for future use Network Security 82

Certificates r Do not want to contact key authority every time we need a public key r Solution: ma certificate that contains • Public key • Proof that the public key originates with the certificate authority m Only the CA can create a certificate m Any participant can verify the certificate Network Security 83

Basic Mechanism for Certificate authority encrypts (using its private key) the following three things: m Timestamp m Identity of Alice m Public Key of Alice r Alice may now give this certificate to Bob r Bob will decrypt the certificate using the public key of the CA m Bob now has public key for Alice that can only have been provided by the CA Network Security 84

Certificates r A possible certificate and its signed hash. Network Security 85

X. 509 r The basic fields of an X. 509 certificate. Network Security 86

Certificate Chains r As with the KDC hierarchy, we do not wish to all have to go to one location to get certificates m Root CA (e. g. Verisign) m CAs ‘R’ Us m Root CA generates certificate for CAs ‘R’ Us m CAs ‘R’ Us generates certificate for Bob m Alice has public key for Root • Uses it to determine public key for CAs ‘R’ Us • Which can then be used to determine public key for Bob Network Security 87

Public-Key Infrastructures r (a) A hierarchical PKI. (b) A chain of certificates. Network Security 88

Web of Trust r Anyone can create such a certificate r Bob and Trish were at a party, and Trish created such a certificate for Bob’s public key r Alice and Trish were at a different party, and Trish gave Alice a copy of her public key r Alice uses Trish’s public key to decode the certificate from Bob Network Security 89

Web of Trust (2) r Trish knows Alice and Mary m Alice has Trish’s public key m Trish creates a certificate for Mary’s public key r Mary knows Bob m Mary creates a certificate for Bob’s public key r Alice can now follow the chain to determine Bob’s public key Network Security 90

PPP: Particularly Paranoid People r Select multiple independent sources for certificates r If they all agree on the public key, then it is probably valid r This applies to both certificate authorities and web of trust Network Security 91

Key Revocation r What happens when Alice’s key is compromised? r Solutions: m Use short-durations certificates m Use revocation lists from certificate authorities Network Security 92

Attacks r Get the private key of the root authority r Compromise client software m Change the self-signing certificate m Capture the decrypted output m Etc. Network Security 93

Secret Keys r Problem: m Public-key encryption is computationally slow m DES is relatively fast r Use PKE to exchange a DES key, and then use DES to exchange data r More on this when we discuss authentication and digital signatures Network Security 94

Authentication and Digital Signatures r Requirements m No disclosure m No masquerade m No replay m No sequence modification m No timing modification m No repudiation r Functions m Encryption m Cryptographic Checksum m Hash Function Network Security 95

Authentication Goal: Bob wants Alice to “prove” her identity to him Protocol ap 1. 0: Alice says “I am Alice” Failure scenario? ? Network Security 96

Authentication: another try Protocol ap 2. 0: Alice says “I am Alice” and sends her IP address along to “prove” it. Failure scenario? ? Network Security 97

Authentication: another try Protocol ap 3. 0: Alice says “I am Alice” and sends her secret password to “prove” it. Failure scenario? Network Security 98

Authentication: yet another try Protocol ap 3. 1: Alice says “I am Alice” and sends her encrypted secret password to “prove” it. I am Alice encrypt(password) Failure scenario? Network Security 99

Authentication: yet another try Goal: avoid playback attack Nonce: number (R) used only once in a lifetime ap 4. 0: to prove Alice “live”, Bob sends Alice nonce, R. Alice must return R, encrypted with shared secret key Figure 7. 11 goes here Failures, drawbacks? Network Security 100

Authentication: ap 5. 0 ap 4. 0 requires shared symmetric key m problem: how do Bob, Alice agree on key m can we authenticate using public key techniques? ap 5. 0: use nonce, public key cryptography Figure 7. 12 goes here Network Security 101

ap 5. 0: security hole Man (woman) in the middle attack: Trudy poses as Alice (to Bob) and as Bob (to Alice) Figure 7. 14 goes here Network Security 102

Digital Signatures Cryptographic technique analogous to handwritten signatures. Simple digital signature for message m: r Sender (Bob) digitally signs public key d. B, creating signed message, d. B(m). r Bob sends m and d. B(m) to Alice. document, establishing he is document owner/creator. r Verifiable, nonforgeable: recipient (Alice) can verify that Bob, and no one else, signed document. r Bob encrypts m with his Network Security 103

Digital Signatures (more) r Suppose Alice receives Alice thus verifies that: msg m, and digital m Bob signed m. signature d. B(m) m No one else signed m. r Alice verifies m signed m Bob signed m and not m’. by Bob by applying Non-repudiation: Bob’s public key e. B to m Alice can take m, and d. B(m) then checks signature d. B(m) to court e. B(d. B(m) ) = m. and prove that Bob r If e. B(d. B(m) ) = m, signed m. whoever signed m must have used Bob’s private key. Network Security 104

Message Digests Computationally expensive to public-key-encrypt long messages Goal: fixed-length, easy to compute digital signature, “fingerprint” r apply hash function H to m, get fixed size message digest, H(m). Hash function properties: r Produces fixed-size msg digest (fingerprint) r Given message digest x, computationally infeasible to find m such that x = H(m) r computationally infeasible to find any two messages m and m’ such that H(m) = H(m’). Network Security 105

Digital signature = Signed message digest Bob sends digitally signed message: Alice verifies signature and integrity of digitally signed message: Network Security 106

Hash Function Algorithms r Internet checksum would make a poor message digest. m Too easy to find two messages with same checksum. r MD 5 hash function widely used. m Computes 128 -bit message digest in 4 -step process. m arbitrary 128 -bit string x, appears difficult to construct msg m whose MD 5 hash is equal to x. r SHA-1 is also used. m US standard m 160 -bit message digest Network Security 107

Secure e-mail • Alice wants to send secret e-mail message, m, to Bob. • generates random symmetric private key, KS. • encrypts message with KS • also encrypts KS with Bob’s public key. • sends both KS(m) and e. B(KS) to Bob. Network Security 108

Secure e-mail (continued) • Alice wants to provide sender authentication message integrity. • Alice digitally signs message. • sends both message (in the clear) and digital signature. Network Security 109

Secure e-mail (continued) • Alice wants to provide secrecy, sender authentication, message integrity. Note: Alice uses both her private key, Bob’s public key. Network Security 110

Pretty good privacy (PGP) r Internet e-mail encryption scheme, a de-facto standard. r Uses symmetric key cryptography, public key cryptography, hash function, and digital signature as described. r Provides secrecy, sender authentication, integrity. r Inventor, Phil Zimmerman, was target of 3 -year federal investigation. A PGP signed message: ---BEGIN PGP SIGNED MESSAGE--Hash: SHA 1 Bob: My husband is out of town tonight. Passionately yours, Alice ---BEGIN PGP SIGNATURE--Version: PGP 5. 0 Charset: noconv yh. HJRHh. GJGhgg/12 Ep. J+lo 8 g. E 4 v. B 3 mq. Jh FEv. ZP 9 t 6 n 7 G 6 m 5 Gw 2 ---END PGP SIGNATURE--- Network Security 111

Secure sockets layer (SSL) r PGP provides security for a specific network app. r SSL works at transport layer. Provides security to any TCP-based app using SSL services. r SSL: used between WWW browsers, servers for Icommerce (shttp). r SSL security services: m m m server authentication data encryption client authentication (optional) r Server authentication: m m m SSL-enabled browser includes public keys for trusted CAs. Browser requests server certificate, issued by trusted CA. Browser uses CA’s public key to extract server’s public key from certificate. r Visit your browser’s security menu to see its trusted CAs. Network Security 112

SSL (continued) Encrypted SSL session: r Browser generates symmetric session key, encrypts it with server’s public key, sends encrypted key to server. r Using its private key, server decrypts session key. r Browser, server agree that future msgs will be encrypted. r All data sent into TCP socket (by client or server) i encrypted with session key. r SSL: basis of IETF Transport Layer Security (TLS). r SSL can be used for non. Web applications, e. g. , IMAP. r Client authentication can be done with client certificates. Network Security 113

Secure electronic transactions (SET) r designed for payment-card transactions over Internet. r provides security services among 3 players: m customer m merchant’s bank All must have certificates. r SET specifies legal meanings of certificates. m apportionment of liabilities for transactions r Customer’s card number passed to merchant’s bank without merchant ever seeing number in plain text. m Prevents merchants from stealing, leaking payment card numbers. r Three software components: m Browser wallet m Merchant server m Acquirer gateway r See text for description of SET transaction. Network Security 114

IPsec: Network Layer Security r Network-layer secrecy: sending host encrypts the data in IP datagram m TCP and UDP segments; ICMP and SNMP messages. r Network-layer authentication m destination host can authenticate source IP address r Two principle protocols: m authentication header (AH) protocol m encapsulation security payload (ESP) protocol m r For both AH and ESP, source, destination handshake: m create network-layer logical channel called a service agreement (SA) r Each SA unidirectional. r Uniquely determined by: m security protocol (AH or ESP) m source IP address m 32 -bit connection ID Network Security 115

ESP Protocol r Provides secrecy, host r ESP authentication, data field is similar to AH integrity. authentication field. r Data, ESP trailer r Protocol = 50. encrypted. r Next header field is in ESP trailer. Network Security 116

Authentication Header (AH) Protocol r Provides source host authentication, data integrity, but not secrecy. r AH header inserted between IP header and IP data field. r Protocol field = 51. r Intermediate routers process datagrams as usual. AH header includes: r connection identifier r authentication data: signed message digest, calculated over original IP datagram, providing source authentication, data integrity. r Next header field: specifies type of data (TCP, UDP, ICMP, etc. ) Network Security 117

System Security r Network Security =/= System Security r Most common attacks exploit m Buffer overflow • E. g. bind, Windows XP, … m Protocol vulnerability • E. g. NFS m Weak passwords • Weak defaults m User behaviour m Denial of Service Network Security 118

Buffer Overflow r Read in text from user with function such as gets() r No matter how big a buffer is allocated, the attacker can send in a larger amount r If heap allocated, will overflow on the heap m Harder to exploit r If stack allocated, can easily change the return address of the function call Network Security 119

Buffer Overflow Solutions r Use library calls that have limits on what the amount of copying they will do r Use a language that performs array-bounds checking r Limit services that are offered on the system Network Security 120

Protocol Vulnerabilities r ARP: m Need access to LAN m Wait till machine X is down m Respond to ARP request as X r NFS m No per-user authentication m No revocation m Access by IP address; group and user IDs Network Security 121

Weak Password Solutions r Run crack programs to check the passwords r Require strong passwords at selection time r Require frequent changes r Biometric Login m E. g. face recognition r Passwordless solutions Network Security 122

User Behaviour r E-mail attachments can be executable, but not look like they are executable m E. g. my. pictures. yahoo. com r Compromised machines can then contact other machines, and therefore look reputable Network Security 123

Denial of Service r Send more in than come out m E. g. SYN attack r Distributed Do. S: m Use a set of compromised machines m No known solution at present Network Security 124

Skills r Most attacks are “script kiddies” r See www. rootshell. com r Defense is not much better Network Security 125

Defense Mechanisms r Configuration management m What services are run? m Are they patched? m Is this realistic? r Firewalls m Packet filtering m Application-level gateway r Antivirus measures r Intrusion Detection Network Security 126

Firewalls firewall isolates organization’s internal net from larger Internet, allowing some packets to pass, blocking others. Two firewall types: m packet filter m application gateways To prevent denial of service attacks: m SYN flooding: attacker establishes many bogus TCP connections. Attacked host alloc’s TCP buffers for bogus connections, none left for “real” connections. To prevent illegal modification of internal data. m e. g. , attacker replaces CIA’s homepage with something else To prevent intruders from obtaining secret info. Network Security 127

Packet Filtering r Internal network is connected to Internet through a router. r Router manufacturer provides options for filtering packets, based on: m m m source IP address destination IP address TCP/UDP source and destination port numbers ICMP message type TCP SYN and ACK bits r Example 1: block incoming and outgoing datagrams with IP protocol field = 17 and with either source or dest port = 23. m All incoming and outgoing UDP flows and telnet connections are blocked. r Example 2: Block inbound TCP segments with ACK=0. m Prevents external clients from making TCP connections with internal clients, but allows internal clients to connect to outside. Network Security 128

Fragmentation Attack r Use IP fragmentation to get past the firewall r Send a small initial fragment that looks acceptable r The second fragment overwrites most of the first Network Security 129

Application gateways r Filters packets on application data as well as on IP/TCP/UDP fields. r Example: allow select internal users to telnet outside. gateway-to-remote host telnet session host-to-gateway telnet session application gateway router and filter 1. Require all telnet users to telnet through gateway. 2. For authorized users, gateway sets up telnet connection to dest host. Gateway relays data between 2 connections 3. Router filter blocks all telnet connections not originating from gateway. Network Security 130

Limitations of firewalls and gateways r IP spoofing: router can’t know if data “really” comes from claimed source r If multiple app’s. need special treatment, each has own app. gateway. r Client software must know how to contact gateway. m e. g. , must set IP address of proxy in Web browser r Filters often use all or nothing policy for UDP. r Tradeoff: degree of communication with outside world, level of security r Many highly protected sites still suffer from attacks. Network Security 131

Anti-Virus Mechanisms r Ross Anderson: filter out Microsoft executables at the firewall m Web-based e-mail gets around the firewall r Two main techniques m Look for virus signature m Look at program behaviour Network Security 132

Intrusion Detection r Assume that system will become compromised, then detect m Misuse detection • Honey trap m Anomaly detection r Many false positives m If accuracy is 99. 9% and there are ten attacks per million sessions, what is the ratio of false alarms to real alarms? Network Security 133

Network Security (summary) Basic techniques…. . . r cryptography (symmetric and public) r authentication r message integrity …. used in many different security scenarios r secure email r secure transport (SSL) r IP sec r Firewalls r Etc. Network Security 134