بسم الله الرحمن الرحيم NETWORK SECURITY

NETWORK SECURITY

Done By:

Saad Al-Shahrani Saeed Al-Smazarkah

May 2006

Network Security GoalsConfidentiality or Privacy: Only sender, intended receiver should understand message contentsSender encrypts messageReceiver decrypts message

Authentication: Sender, receiver want to confirm identity of each other

Integrity: Sender, receiver want to ensure messages are not altered during transmission without detection

Access and Availability: Services must be accessible and available to users

People want to communicate securelyEve (intruder/eavesdropper): may intercept, delete, add messages

There are Eavesdroppers out there! Q: what can an eavesdropper do?A: a lot!Observing and recording information

Unauthorized access to a server

Denial of service: prevent service from being used by others (e.g. by Flooding a server with requests)

Impersonating a legitimate server

Hijacking: take over ongoing connection by removing sender or receiver, inserting himself in place

Network Security: AgendaMain weapon: cryptographyConfidentiality (encryption)Message authenticationSignatures and Certificates

Internet Threats, Attacks and DefensesSecure request/ response protocolsSecure connection tunnelsDenial of Service attacksFirewalls

Encryption Protects ConfidentialitySecret Key crypto: Shared secret key (KE,B=KD,B)Public key crypto: A user has a public encryption key KE,B and a matching private decryption key KD,B

Secret Key CryptoTwo operations (encrypt, decrypt) which are inverses of each other. Like multiplication/divisionOne parameter (the key)Even the person who designed the algorithm cant break it without the key Ideally, a different key for each pair of users

Secret key cryptoencrypt= f(K, plaintext)=ciphertextdecrypt= f(K, ciphertext)=plaintextauthentication: send f(K, challenge)integrity check: f(K, msg)=Xverify integrity check: f(K, X, msg)

Public Key CryptoTwo keys per user, keys are inverses of each other Public key BPub you tell to the worldPrivate key BPriv you keep privateYes its magic. Why cant you derive BPriv from BPub?And if its hard, where did (BPub, BPriv) come from?

Encryption and Integrity Encryption hides the message from eavesdropper

Question: can eavesdropper change message?Or: dose encryption ensure message integrity?

With Public Key Encryption:Eve can replace EBPub(m) with fake: EBPub (m)

With Secret (shared) Key Encryption:This seems harder to doBut given c=mk, attacker can send c mask, to invert any bit in decrypted message (use mask)

Encryption does not ensure integrity!

Public Key VS. Secret KeyIn terms of capabilities public key is more powerful.

Public key provides digital signature.

Secret key is much faster than public key

Public Key Digital Signatures: conceptOne of the best features of public keyAn integrity checkcalculated as f(priv key, data)verified as f(public key, data, signature)Verifiers dont need to know secret keyRSA can be used for digital signature scheme

Popular Secret Key AlgorithmsDES: old standard, 56-bit key, slow3DES: fix key size but 3 times as slowRC4: variable length key, stream cipher (generate stream from key, XOR with data)AES: replacement for DES, will probably take over

Popular Public Key AlgorithmsRSA: public key operations can be made very fast, but private key operations will be slow.

ECC (elliptic curve crypto): smaller keys, so faster than RSA (but not for public key ops).

Key Distribution ProblemSecret Key Problem: How do two entities establish shared secret key over the network?Solution: Trusted key distribution (KDC) acting as intermediary between entities KDC needs shared key with each entity.Public Key Problem:When Saad obtains Saeeds public key (from web site, e-mail, diskette), how does he know it is Saeeds public key, not eavesdroppers?Solution: Trusted certification authority (CA)

Key Distribution - Secret KeysCould configure n2 keysMakes the systems unfeasible for large-scale useInstead use Key Distribution Center (KDC)Every user has a secret key shared with KDCThe KDC knows all the usersThe KDC assigns a key to any pair who need to talk

Key Distribution - Public KeysCertification Authority (CA) signs CertificatesCertificate = a signed message saying I, the CA, vouch that 489024729 is Saads public keyIf everyone has a certificate, a private key, and the CAs public key, they can authenticate

Key Distribution - Public KeysSaadSaeed[Saad, key=342872]CAAuth, encryption, etc.[Saeed, key=8294781]CA

Denial Of Service Attack Attacker tries to exhaust resources of host/ server/ router/ user Resources include:Computation (CPU time)Storage (e.g. for state of requests/connections)Open TCP connectionsLimited (10s to several thousand connections depending on hardware, operating system)SYN flooding DOS attack: attacker sends SYN flow (open connection); server waits

SYN flooding DOS attack Attacker sends many SYN requests (using different spoofed client IP address), no ACK Uses up servers capacity for open connections

Firewalls Firewall:A secure machine (or program), isolating organizations internal net from larger Internet (or another net), allowing some packets to pass, blocking others

Packet FilteringInternal network connected to Internet via Router Firewall (packet filtering)Router filters packet-by-packet, decision to forward/ drop packet based on:Source IP address, destination IP addressTCP/UDP source and destination port numbersTCP SYN and ACK bit (identify client vs. server)

References

Our textbookhttp://www.aw.com/kurose-ross/http://www.iec.orghttp://amir.herzberg.name