Lecture 10: Network Security · 2015. 11. 28. · ‣ Symmetric key encryption/decryption -Alice and Bob share the same key -challenge: exchanging the key ‣ Asymmetric key encryption/decryption

Network Security Lecture 10:

Computer Networks, Fall 2015

Security properties

‣ Confidentiality

- only the sender and the receiver understand the contents of the message

‣ Authenticity

- the message is from whom it claims to be

‣ Integrity

- the message was not changed along the way

Outline

‣ Building blocks

‣ Providing security properties

‣ Securing Internet protocols

‣ Operational security

Outline

‣ Building blocks

Encryption & decryption

Bob Alice

“Dear Bob, ...”

communication channel

“daghj2$%@^”

encryption algorithm

decryption algorithm

“Dear Bob, ...”

“daghj2$%@^” “daghj2$%@^”

plaintext plaintext

Bob Alice

ciphertext ciphertext

‣ Encryption algorithm: input: plaintext, output: ciphertext

‣ Decryption algorithm: input: ciphertext, output: plaintext

‣ Ciphertext: ideally, should reveal no information about the message

key key

Symmetric key cryptography

plaintext plaintext

Bob Alice

plaintext plaintext

key{ } key{ } plaintext = plaintext

‣ Alice and Bob share the same key

- used both for the encryption and decryption algorithm

‣ Used to “scramble” the plaintext

- RC4, AES, Blowfish

‣ Challenge: how to share a key?

- out of band

- not always an option

Asymmetric key cryptography

plaintext plaintext

Bob Alice

key-{ } key+{ }

key+ key-

plaintext plaintext

plaintext = plaintext

‣ Alice and Bob use different keys

- public (key+) and private (key-) key

‣ There is a special relationship between them

- key-{ key+{ plaintext } } = plaintext

- key+{ key-{ plaintext } } = plaintext

- RSA, DSA

‣ Challenge: computationally expensive

- sophisticated encryption/decryption algorithms based on number theory

Cryptographic hash function

Dear Bob, .................... .................... .................... Cheers, Alice

hash function

tru46hj#$%

Dear Bob, .................... .................... .................... Cheers, Alice

hash function

Dear Bob,

Dear Bob, .................... .................... .................... Thanks,

Celine

Dear Bob, .................... .................... .................... Best wishes, Dabir

Dear Bob, .................... .................... .................... .................... .................... .................... Cheers, Alice

hash function

tru46hj#$%

hash ?

‣ Maps larger input to smaller hash

‣ Hash should not reveal information on input

‣ Should be hard to identify 2 inputs that lead to the same hash

Building blocks

‣ Symmetric key encryption/decryption - Alice and Bob share the same key - challenge: exchanging the key

‣ Asymmetric key encryption/decryption - Alice and Bob use different keys - challenge: computationally expensive

‣ Cryptographic hash function - produces a hash of the original message

- that’s different from encryption 20

Outline

‣ Building blocks

Providing confidentiality

key key

plaintext plaintext

Bob Alice

ciphertext ciphertext ciphertext

plaintext plaintext

Bob Alice

Bob_key+

Bob_key-

plaintext plaintext

Bob Alice

Bob_key+

Bob_key- Manuel

plaintext

ciphertext

Man in the middle

Bob Alice

plaintext

ciphertext

plaintext

ciphertext

Bob_key+

Bob_key-

Manuel

plaintext

ciphertext

Manuel_key+

Manuel_key-

‣ With symmetric key crypto

- Alice encrypts message with shared key

- only Bob can decrypt it

‣ With asymmetric key crypto

- Alice encrypts message with Bob’s public key

- only Bob can decrypt it (with his private key)

- but beware of man-in-the-middle attacks

Providing authenticity

Bob Alice Persa

Bob Alice

key{ I am Alice }

= hjdfk678vnx

Bob Persa

key{ I am Alice }

!= hgdja54637452

Bob Alice

hash{ key | I am Alice }

= 46873astubv

Bob Alice

Message Authentication Code (MAC)

Bob Alice

Alice_key+{ 687retwyw }

= I am Alice

Bob Persa

Alice_key+{ ghdj67d%^& }

!= I am Alice

Bob Alice

Digital signature

Bob Alice

Message Authentication Code (MAC)

Bob Alice

Digital signature

Bob Alice

‣ With symmetric key crypto

- Alice appends hash of message + shared key

- Bob verifies that it is correct (using shared key)

‣ With asymmetric key crypto

- Alice encrypts hash of message with her private key, appends to unencrypted message

- Bob verifies that it is correct (using Alice’s public key)

‣ Nonce for avoiding replay attacks

- Bob sends Alice a nonce (random number)

- Alice appends hash of message + shared key + nonce

Providing integrity

Bob Alice

Providing integrity

Bob Alice

Providing integrity

‣ With the same mechanisms that provide authenticity

plaintext

ciphertext

Man in the middle

Bob Alice

plaintext

ciphertext

plaintext

ciphertext

Bob_key+

Bob_key-

Manuel

plaintext

ciphertext

Manuel_key+

Manuel_key-

Public key certification

‣ Trusted certificate authority (CA) digitally signs that key+ is Bob’s public key

- using the CA’s private key

‣ CA’s public key is obtained out of band

- web browsers pre-configured with CA public keys

Outline

‣ Building blocks

Securing email (confidentiality)

Bob_key+{ }

shared_key{ } message

shared_key

shared_key{ }

Bob_key-{ }

Securing email (confidentiality)

Bob_key+{ }

shared_key{ } message

shared_key

Alice_key-{ } hash{ }

Securing email (auth & integrity)

message

Alice_key+{ }

Securing email (auth & integrity)

Alice_key-{ } hash{ } message

message hash{ }

Alice_key-{ } hash{ }

Securing email

message

+ shared_key{ ... }

Bob_key+{ shared_key }

Securing TCP

online store Alice

Securing TCP

‣ Server sends its certificate

- includes its public key

‣ Client creates and sends a shared master key

- encrypts it with server’s public key

‣ Both use master key to create 4 session keys

- 1 key for encrypting client --> server data

- 1 key for creating MAC for client --> server data

- same for server --> client data

Securing TCP

online store Alice

Securing TCP

online store Alice

Securing TCP

‣ Client organizes data in records

- each record has a sequence number

‣ Creates MAC for each record + sequence #

- using one of the 4 session keys

‣ Encrypts the data + MAC for each record

- using (another) one of the 4 session keys

Securing IP

Bob Alice

IP packet

key1{ IP packet }, hash{ key2, key1{ IP packet } }

IP packet

Securing IP

‣ 2 IP routers establish a “secure tunnel”

- usually between branch offices of a company

‣ Source encrypts each IP packet

- using a shared key

‣ Source creates MAC for encrypted IP packet

- using another shared key

Key ideas

‣ Combination of symmetric/asymmetric keys - asymmetric key crypto to exchange shared keys

- symmetric key crypto for confidentiality, authenticity, & integrity

- symmetric key crypto is faster

‣ Seq. numbers to avoid reordering attacks - organize data in records with seq. numbers

- compute MAC on record data + seq. number

Outline

‣ Building blocks

Firewalls

action src IP dst IP src port dst port proto

allow 167.67/16

167.67/16

any TCP > 1023 80

allow any TCP 80 > 1023

deny all all all all all

Lecture 10: Network Security · 2015. 11. 28. · ‣ Symmetric key encryption/decryption -Alice and Bob share the same key -challenge: exchanging the key ‣ Asymmetric key encryption/decryption

Documents

Keywords: software encryption,polymorphic decryption ...

Encryption/Decryption system Midterm Presentation

Authenticated Encryption for Low-Power Reconﬁgurable...

Symmetric-Key...

Secured algorithm for gsm encryption & decryption

Authenticated Encryption Decryption Scheme

New Public Key (RSA) Encryption · 2009. 2. 23. · logo1.....

Cryptography Readings Encryption, Decryption, & Digital...

THE APPLICATION LAYER · Encryption method Passive intruder...

Encryption & decryption of sound presentation

DOWNLOADABLE SECURITY DISCUSSION · Content Key encryption....

Cryptosystems and Symmetric Encryption/Decryption)

Encryption and Decryption using Password Based Encryption...

By Yernar. Background Key generation Encryption ...

2. Encryption and Decryption

Encryption and Decryption