Network Security Chapter 8

Network Security Chapter 8

Network Security Chapter 8 Network security problems can be divided roughly into 4 closely intertwined areas: secrecy (confidentiality), authentication, nonrepudiation, and integrity control. Question: what does non-repudiation mean? What does “integrity” mean? • Cryptography • Symmetric-Key Algorithms • Public-Key Algorithms • Digital Signatures • Management of Public Keys • Communication Security • Authentication Protocols • Email Security -- skip • Web Security • Social Issues -- skip Revised: August 2011 CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Network Security Security concerns a variety of threats and defenses across all layers Application Authentication, Authorization, and non-repudiation Transport End-to-end encryption Network Firewalls, IP Security Link Packets can be encrypted on data link layer basis Physical Wireless transmissions can be encrypted CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Network Security (1) Some different adversaries and security threats • Different threats require different defenses CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Cryptography Cryptography – 2 Greek words meaning “Secret Writing” Vocabulary: • Cipher – character-for-character or bit-by-bit transformation • Code – replaces one word with another word or symbol Cryptography is a fundamental building block for security mechanisms. • Introduction » • Substitution ciphers » • Transposition ciphers » • One-time pads » • Fundamental cryptographic principles » CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Introduction Most popular computer-based encryption alternatives: 1. Symmetric key – same key used to both encrypt and decrypt; popular for securing data comm protocols. 2. Public key – different keys used to encrypt than to decrypt (public key, private key); popular for encrypting keys (and some data) The encryption model (for a symmetric-key cipher) • Kerckhoff’s principle: Algorithms (E, D) are public; only the keys (K) are secret − Kerckhoff’s principal: algorithmsTrudy are public, keys are private Alice Bob Note: Names indicate roles. CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Substitution Ciphers Substitution ciphers replace each group of letters in the message with another group of letters to disguise it Simple single-letter substitution cipher CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Transposition Ciphers Transposition ciphers reorder letters but not disguise them Key gives column order, starting with the lowest letter Column 5 (G) 6 (K) 7 (M) 8 (U) Simple column transposition cipher CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 One-Time Pads (1) Simple scheme for perfect secrecy: • XOR message with secret pad to encrypt, decrypt • Pad is as long as the message and can’t be reused! − It is a “one-time” pad to guarantee secrecy Different secret pad decrypts to the wrong plaintext As long as the pads are never re-used or revealed, this approach is unbreakable. CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 One-Time Pads (2) – Quantum Cryptography Approach using lasers and photonic filters leveraging quantum mechanics (qubit polarization). See pages 773-776 in textbook. Approach cannot be eavesdropped upon Alice sending Bob a one-time pad with quantum crypto. • Bob’s guesses yield bits; Trudy misses some • Bob can detect Trudy since error rate increases CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Fundamental Cryptographic Principles 1. Messages must contain some redundancy redundancy = info not needed to understand the message so that active intruders cannot send random junk and have it be interpreted as a valid msg • All encrypted messages decrypt to something • Redundancy lets receiver recognize a valid message • But redundancy helps attackers break the design 2. Some method is needed to foil replay attacks • Without a way to check if messages are fresh then old messages can be copied and resent • For example, add a date stamp to messages CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Symmetric-Key Algorithms Symmetric key – the same Secret key is used to both encrypt and decrypt the message. Popular for communication protocols because encryption/decryption can be done rapidly and easily adaptable to hardware automation. Encryption in which the parties share a secret key » Approaches using block ciphers – takes a n-bit block of plaintext as an input and transforms it using the key into an n-bit block of cipher text (and vice versa). » Question: What happens if the secret key becomes revealed? • DES – Data Encryption Standard » • AES – Advanced Encryption Standard » • Cipher modes » • Other ciphers » • Cryptanalysis » CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Symmetric-Key Algorithms (1) Use the same secret key to encrypt and decrypt; block ciphers operate a block at a time • Same number of bits in as bits out • Product cipher combines transpositions/substitutions Basic elements of product ciphers (Pages 779-780) Permutation Substitution Product with multiple P- and S-boxes (transposition) box box Question: Who can explain what is happening in the Substitution Box? CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Data Encryption Standard (1) DES encryption was widely used (but no longer secure) • Developed by IBM in 1977 • Plaintext encrypted in blocks of 64-bits; 56-bit key; 19 stages of computation Contains transpositions & substitutions DES steps A single iteration CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Data Encryption Standard (2) Introduced 1979, popular through the 1990s. Uses 2 DES keys for encryption and 3 iterations (stages) of DES, using key 1 for 1st and 3rd iteration and key 2 for 2nd iteration. Triple encryption (“3DES”) with two 56-bit keys • Gives an adequate key strength of 112 bits − Instructor addition: 3DES not currently considered “adequate” today for most uses • Setting K1 = K2 allows for compatibility with DES Triple DES encryption Triple DES decryption Question: Why is the length of the encryption key important? CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Advanced Encryption Standard (1) AES replaces 3DES. Introduced in 2001 by US Government (NIST). Supports block size of 128-bits and encryption key lengths of 128, 192, or 256 bits. AES is the successor to DES: • Symmetric block cipher, key lengths up to 256 bits • Openly designed by public competition (1997-2000) • Available for use by everyone • Built as software (e.g., C) or hardware (e.g., x86) • Winner was Rijndael cipher • Now a widely used standard CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Advanced Encryption Standard (2) AES uses 10 rounds for 128-bit block and 128-bit key • Each round uses a key derived from 128-bit key • Each round has a mix of substitutions and rotations • All steps are reversible to allow for decryption Round keys are derived from 128-bit secret key CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Cipher Modes (1) Cipher Modes prevent the same msg from being encrypted to the same bits each time. Question: Why is such variance desirable? Cipher modes set how long messages are encrypted • Instructor addition: 5 cipher modes for symmetric-key encryption • Each has strengths/weaknesses and preferential deployment usages 1. Encrypting each block independently, called ECB (Electronic Code Book) mode, is vulnerable to shifts With ECB mode, switching encrypted Leslie gets a blocks gives a different but valid message large bonus! CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Cipher Modes (2) CBC protects against code books (i.e., same plaintext block will not result in the same ciphertext block); computed using a 64-bit block 2) CBC (Cipher Block Chaining) is a widely used mode • Chains blocks together with XOR to prevent shifts • Has a random IV (Initial Value) for different output CBC mode encryption CBC mode decryption CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Cipher Modes (3) Cipher feedback mode enables a byte-by-byte encryption (no larger blocks) There are many other modes with pros / cons, e.g., 3) cipher feedback mode is similar to CBC mode but can operate a byte (rather than a whole block) at a time Encryption Decryption CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Cipher Modes (4) 4) A stream cipher uses the key and IV to generate a stream that is a one-time pad; can’t reuse (key, IV) pair • Doesn’t amplify transmission errors like CBC mode Encryption Decryption Keystream is a sequence of output blocks that acts like a one-time pad. CN5E by Tanenbaum & Wetherall, © Pearson Education-Prentice Hall and D. Wetherall, 2011 Cipher Modes (5) Counter mode is often used for encrypting accessible stored data such as databases 5) Counter mode (encrypt a counter and XOR it with each message block) allows random access for decryption Encryption above; repeat the operation to decrypt CN5E by Tanenbaum & Wetherall, © Pearson

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    71 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us