31 network Security, threats, authentication, authorization, and Securing devices WenbIn Luo IntroductIon by intercepting the network traffic, keyboard logging, or simply guessing, then the attacker can get into all their other Nowadays, almost all the information is stored electroni- accounts that share the same password. Also, if an insider in cally in computers, network servers, mobile devices, or one system compromises their password, their accounts in other storage media. We cannot protect electronic infor- other systems are also compromised. mation in a cabinet in the same way we protected physical In this chapter, first, we will review private key encryp- documents in the past. We have to come up with new tech- tion and public key encryption techniques. Then, we will give niques to protect the information from unauthorized access, examples of how to perform private key encryption, public use, or manipulation. The easiest way to protect electronic key encryption, and digital signing using GPG. Second, we data is to encrypt it so that people cannot figure out what will discuss some of the threats, which a computer system it contains without knowing the secret keys. Over the last or user may face, and how they work. Third, we will exam- several decades, two major types of encryption techniques ine some existing authentication techniques and take a look have been invented: private key encryption and public key at various authorization methods, especially those used on a encryption. Linux system. Finally, the last topic will be on how to secure Private key encryption, which is also called symmetric devices. encryption, scrambles the original data with a secret key. In order to unscramble a message or file, people need to have the same secret key. Otherwise, there is no way to recover PrIvate Key encryPtIon the original data. Public key encryption, also called asym- metric encryption, usually scrambles the original data with Private key encryption was invented earlier than public key a publically accessible key. In order to unscramble a mes- encryption, and it is the standard form of encryption used sage or file, people have to be able to supply a different pri- nowadays. The purpose of private key encryption is to keep vate key, which is paired mathematically with the public key the data secret. Its advantage includes efficient algorithms used in the encryption phase. Some special software tools are for encryption and decryption. However, the limitation is needed to generate the pair of public and private keys. We that both senders and receivers must share the secret keys. will demonstrate how to create your own public and private The difficulty in sharing secret keys is how to safely transmit keys later, using a free open source tool called GNU Privacy them before one can even start encrypting messages. Many Guard (GnuPG or GPG). security systems or mechanisms use public key encryption Cryptography is a good tool for security, and it is the to transmit secret keys, and then use private key encryption basis for many security mechanisms. However, it should be to encrypt the actual data. The reason for that is to combine mentioned that it is not the solution to all security problems. the beauty of public key encryption with the speed of private Building a reliable and highly secure system is a multifaceted key encryption. and very complicated process, which requires us to look at Figure 31.1 shows the building block of private key various potential attacks from different angles. A system’s encryption. The meanings of symbols in this figure are as actual security status is not the same as the technology follows. employed to secure it. For example, passwords, which are the foundation on which much of computer security is built, • E: encryption unit pose one of the biggest practical problems [1]. Nowadays, • D: decryption unit people visit many different websites and are required to set • M: plaintext, that is, the original message passwords for many of them. In order to make things easier, • C: ciphertext, that is, the encrypted message many people use the same password for various accounts. In • K: the secret key shared between say an operator and such cases, if their passwords are harvested by an attacker a manager 506 K10922_C031.indd 506 7/5/2011 7:32:19 AM 31 Network Security, Threats, Authentication, Authorization, and Securing Devices 507 C C M K M E D Transmission PK K K + Fig. 31.1 The building block of private key encryption. M It should be noted that the encryption and decryption algorithms (E and D) are publicly known. A simple exam- PK ple of encryption and decryption is as follows. Assume that we have a one-byte secret key (K) “?” whose ASCII code in hexadecimal is “3f.” The message (M) we would like to C = PK + M encrypt is a character “%,” whose ASCII code in hexadeci- mal is “25.” Assume that we use the following simple encryp- tion algorithm (E): just do bit-wise exclusive-or operation of Exclusive-OR operation M and K as follows. Fig. 31.2 A stream cipher. K: 3f = 0 0 1 1 1 1 1 1 M: 25 = 0 0 1 0 0 1 0 1 C: 1a = 0 0 0 1 1 0 1 0 The PK generation algorithm is the most important part of a stream cipher. The diagram of a stream cipher is shown in The decryption algorithm (D) is similar to the encryption Figure 31.2. algorithm: just do bit-wise exclusive-or operation of C and K To recover the original message from the C, the stream as follows. cipher needs to take the same key K from the user and gener- ate the same PK based on K. After that, it applies bit-wise exclusive-or operation to C and PK to uncover the message K: 3f = 0 0 1 1 1 1 1 1 C: 1a = 0 0 0 1 1 0 1 0 M. RC4 is a widely used stream cipher, which was designed M: 25 = 0 0 1 0 0 1 0 1 by Ron Rivest of RSA Security in 1987. It is used in popu- lar protocols such as secure sockets layer (SSL) to protect Internet traffic and wired equivalent privacy (WEP) to secure It is clear that the original message, M, is recovered. This wireless networks. simple scheme can be extended to encrypt and decrypt long messages or data with long keys. If the length of the key is the same as that of the message and each key is used once and block ciphers only once during encryption, then the above system is called one-time pad, which is very secure. However, it should be Block ciphers work differently from stream ciphers. Instead mentioned that the above method is not secure and should not of generating a PK of the same size as a message, block be used in practice when a single key is used repeatedly. A ciphers divide the message into blocks of the same size, simple cryptanalysis could either recover the message, M, or which is usually 64, 128, or 256 bits. Then it encrypts each reveal enough information about M from the C, without even individual block with a user-supplied secret key (K) of fixed knowing the secret key, K. This is especially true when M size, such as 56, 128, 168, 192, or 256 bits. Figure 31.3 shows consists of human audio conversations because of the abun- the diagram of a block cipher. dant redundancy in natural languages. Similar to encryption, a block cipher starts decryption by dividing the C into blocks of the same size first. After that, it Stream ciphers decrypts each individual block of C with the secret key. The core parts of a block cipher are encryption (E) and decryp- Generally speaking, a private key cipher can be classified as tion (D) algorithms, which usually involve some mixing either a stream cipher or a block cipher. Figure 31.2 shows operations several times. Data encryption standard (DES) how a stream cipher works. It takes as inputs a key (K) and and its variant triple DES, and advance encryption standard a message (M). The key is usually of fixed size such as 128 (AES) are two of the most widely used block ciphers. DES or 256 bits and the message can be of arbitrary size. Given a uses substitution-box (s-box) to perform some mixing opera- fixed-size key, a stream cipher will need to generate a pseu- tions, whereas AES relies on mathematical operations in dorandom key (PK) of the same size as that of M, and then finite fields to achieve similar goals [2]. It should be men- do bit-wise exclusive-or operation of M and PK to get the C. tioned that block ciphers could work in different modes, K10922_C031.indd 507 7/5/2011 7:32:20 AM 508 Networks, Security, and Protection The mathematical proof of why RSA works can be found E in many textbooks such as Stallings 2003 [2]. A public key cryptosystem can be used in two different ways: data encryp- n-bit message blocks n-bit ciphertext blocks tion and digital signature. Assume that two users mentioned above, an operator and a manager, want to communicate with K each other. Further, assume that each user has a pair of public and private keys (Kpa, Kra) and (Kpb, Krb), respectively. We D will demonstrate how to generate a key pair later. data encryption n-bit ciphertext blocks n-bit message blocks Assume that the manager wants to encrypt an M and send K the encrypted message, that is, C, to the operator.