EEC4113 Data Communication & Multimedia System Chapter 9: Session Layer – Network Security by Muhazam Mustapha, November 2011.

EEC4113Data Communication &

Multimedia SystemChapter 9: Session Layer – Network Security

by Muhazam Mustapha, November 2011

Learning Outcome

• By the end of this chapter, students are expected to be able to explain issues related to network security

Chapter Content

• Network Security Issues

• Security Key, Cryptography and Authentication Techniques

• Firewall

• Steganography

Network Security Issues

CO1

Security Requirements

• Confidentiality– Requires that data only be accessible by

authorized party

• Integrity– Requires that data can be modified only by

authorized party– Modification includes writing, changing,

deleting and creating

CO1

Security Requirements

• Availability– Requires that data are available to authorized

parties

• Authenticity– Requires that a host or service be able to

verify the identity of a user

CO1

Types of Attacks

• A useful means of classifying security attacks is in terms of passive attacks and active attacks

• The purpose of attacks are not necessarily to obtain information, but might be just to cause some kind of problem at the target

• 2 types of attacks:– Passive attacks– Active attacks

CO1

Passive Attacks

• Eavesdropping on transmissions to obtain information– Secretly listening to people’s conversation

• Two types:– Release of message contents

• Outsider learns content of transmission

– Traffic analysis• By monitoring frequency and length of messages,

even encrypted, nature of communication can be guessed

CO1

Passive Attacks

• Difficult to detect because do not involve any alteration of the data

• Can be prevented, usually by means of encryption

CO1

Active Attacks

• Involve some modification of the data stream or the creation of a false stream

• 4 types:– Masquerade– Replay– Modification of messages– Denial of service (DoS)

• Easy to detect but hard to prevent

• Goal: Detect and recover from any disruption or delays caused by themCO1

Active Attacks

• Masquerade– Pretending to be a different entity

• Replay– Passive capture of data unit and its

subsequent retransmission to produce an unauthorized effect

• capture a password during an eavesdropping and reusing it to dishonestly access a system

CO1

Active Attacks

• Modification of Messages– Portion of legitimate message is altered into a

content wanted by the attacker

• Denial of Services (DoS)– Disruption of entire network or a server, either

by disabling the network server or by overloading it with messages so as to degrade performance

CO1

Security Key,Cryptography and

Authentication

CO1

Maintaining Confidentiality

• The universal technique for providing confidentiality for transmitted data is symmetric encryption

• Also referred to as conventional encryption or single-key encryption

CO1

Symmetric Encryption

Performs various substitutions &

transformations on the plaintext

Scrambled message, produced as output. Depends

on plaintext & secret key. Different

keys will produce different ciphertext

Input to the encryption algorithm. Exact substitutions & transformation performed

by the algorithm depend on the key

Takes ciphertext & secret key as input

to produce the original plaintext

Original message or data that is fed into

the algorithm as input

CO1

Encryption Requirements

• Strong encryption algorithm– Even if known, should not be able to decrypt

or work out key– Even if a number of cipher texts are available

together with plain texts of them

• Sender and receiver must obtain secret key securely– Once key is known, all communication using

this key is readable

CO1

Attacking Encryption

• There are 2 general approaches to attacking symmetric scheme:– Cryptanalysis

• Rely on nature of algorithm plus some knowledge of general characteristics of plain text

• Attempt to deduce plain text or key

CO1

Attacking Encryption

– Brute force• Try every possible key until plain text is achieved

CO1

Encryption Algorithms

• The most commonly used symmetric encryption algorithm are block ciphers

• Block cipher processes plaintext in fixed block sizes producing block of ciphertext of equal size

CO1

Encryption Algorithms

• Two most important block cipher algorithms:– Data Encryption Standard (DES) – 56-bit key

• Extension of DES - 3DES – 112 / 168-bit key

– Advanced Encryption Standard (AES) – up to 256-bit key

CO1

Location of Encryption Devices

CO1

Link Encryption

• All traffic secure

• High level of security

• Requires lots of encryption devices

• Message must be decrypted at each switch to read address (virtual circuit number)

• Security vulnerable at switches– Particularly on public switched network

CO1

End-to-End Encryption

• Encryption done at ends of system

• Data in encrypted form crosses network unaltered

• Destination shares key with source to decrypt

• Host can only encrypt user data– Otherwise switching nodes could not read

header or route packet

• Traffic pattern not secureCO1

Secure Hash Functions

• Hash function must have following properties:– Can be applied to any size data block– Produce fixed length output– Easy to compute– Not feasible to reverse– Not feasible to find two message that give the

same hash

CO1

SHA-1

• Secure Hash Algorithm 1

• Input message less than 264 bits– Processed in 512 bit blocks

• Output 160 bit digest

CO1

SHA-1 Example

CO1

Public Key Cryptography

• Based on mathematical algorithms

• Asymmetric– Use two separate keys

• Ingredients– Plain text– Encryption algorithm– Public and private key– Cipher text– Decryption algorithm

CO1

Public Key Cryptography: Encryption

CO1

Public Key Cryptography: Authentication

CO1

Public Key Cryptography: Encryption Operation• User generates pair of keys

• User places one key in public domain

• Infeasible to determine decryption key given encryption key and algorithm

• To send a message to user, encrypt using the user’s public key

• User decrypts using his private key• His own public key could NOT decrypt it

CO1

Public Key Cryptography: Authentication Operation• To send an authentication certification to a

receiver, encrypt the certification using the sender’s private key

• Receiver authenticates the certification using the sender’s public key

CO1

RSA (Rivest, Shamir, Adleman) Algorithm

CO1

RSA (Rivest, Shamir, Adleman) Algorithm

CO1

RSA Example

CO1

SSL Transport Layer Security• Security services for TCP/IP Transport

Layer Security defined in RFC 2246

• SSL (secure socket layer) general-purpose service– Set of protocols that rely on TCP

• Two implementation options– Part of underlying protocol suite

• Transparent to applications

– Embedded in specific packages• E.g. Netscape and Microsoft Explorer and most

Web serversCO1

SSL Architecture• SSL uses TCP to provide reliable end-to-

end secure service• SSL two layers of protocols• Record Protocol provides basic security

services to various higher-layer protocols– In particular, HTTP can operate on top of SSL

• Three higher-layer protocols – Handshake Protocol– Change Cipher Spec Protocol– Alert Protocol

CO1

SSL Protocol Stack

CO1

SSL Record Protocol• The SSL record protocol defines the

format used to transmit data• The SSL record protocols provides two

services for SSL connections:– Confidentiality: The Handshake Protocol

defines a shared secret key that is used for conventional encryption of SSL payloads

– Message Integrity: The Handshake Protocol also defines a shared secret key that is used to form a message authentication code (MAC)

CO1

SSL Record Protocol

CO1

SSL HeaderContent Type (8 bits): The higher-layer protocol used to process the enclosed fragment.

Major Version (8 bits): Indicates the major version of SSL in use. E.g. 3

Minor Version (8 bits): e.g. 0

Compressed length (16 bits): The length in bytes of the plain text fragment. The maximum value is 2^14 + 2048

CO1

SSL Handshake Protocol• The SSL handshake protocol involves using the SSL

record protocol to exchange a series of messages between an SSL-enabled server and an SSL-enabled client when they first establish an SSL connection. This exchange of messages is designed to facilitate the following actions:– Authenticate the server to the client.– Allow the client and server to select the cryptographic

algorithms, or ciphers, that they both support.– Optionally authenticate the client to the server.– Use public-key encryption techniques to generate shared

secrets.– Establish an encrypted SSL connection.

CO1

SSL Handshake Protocol

CO1

SSL Change Cipher Spec Protocol• Used to change the keying material in

encryption between the client and server• Keying material is raw data that is used to

create keys for cryptographic use• The CCS sub-protocol consists of a single

message to tell other party in the SSL/TLS session, who is also known is the peer, that the sender wants to change to a new set of keys

CO1

SSL Alert Protocol• Alert messages are used to indicate a

change in status or an error condition to the peer

• There are a wide variety of alerts to notify the peer of both normal and error conditions defined in RFC 2246:– closure notify– unexpected message– bad record MAC– decompression failure– handshake failure

CO1

Firewall

CO1, CO3

Firewalls• A firewall is a piece of hardware or

software program which protects a computer or network from attacks from intruders and hackers

• Today’s firewalls also include virus scanning, URL screening, and keyword scanners – or the other way around

CO1, CO3

Firewalls

CO1, CO3

Need for FirewallsTo protect for following:

• Loss and Manipulation of Data

• Business Secrets and Confidential Data

• Hijacked Networks

• Loss of Reputation

CO1, CO3

Firewall Operation• Authorize a connection (allow)

• Block a connection (deny)– Based on incoming source– Based on content– Based on outgoing source

• Reject a connection request without informing the issuer (drop)

• Logging of any traffic

CO1, CO3

Level of Operation• Filtration (exceptions) can be done at

various levels

• User/Destination level– certain users or IP address given certain

privileges or can be blocked

• Application level– certain applications given certain privileges

• Service level– certain services (FTP, HTTP, SMTP) on

certain port numbers may or may not be allowed

CO1, CO3

Hardware vs Software Firewall• Advantage of software firewall

– Free or cheap to install– Easy to install– Specialist skills not needed for configuration– Levels of access can be set

• Disadvantage of software firewall– May be heavy and slow down applications– Can be difficult to remove– Requires regular patching to all hosts– No centralized management

CO1, CO3

Hardware vs Software Firewall• Advantage of hardware firewall

– Centralized management possible– Secure– Fast– Less interference

• Disadvantage of hardware firewall– Expensive to purchase– Needs specialist knowledge– Takes up physical space– Hard to upgrade

CO1, CO3

Steganography

CO1

Steganography• Art and science of communicating in a way

that hides the existence of a message– Hidden in plain sight

• Signal or pattern imposed on content

• Not encryption – data is sent in plain text

• Not copy protecting – the copy of data is hardly visible

CO1

Classic Techniques• Invisible ink (1st century AD -

WW II)

• Overwrite select characters in printed type in pencil– look for the gloss

• Pin punctures in type

• Microdots– e.g. microdots to protect

against car theft

CO1

Modern Motivation• Steganography received little attention in

modern computing

• Renewed interest because of industry desire to protect copyrighted digital work– audio, images, video, text

• Detect counterfeiter (plagiarism), unauthorized presentation, embed key, embed author ID

CO1

Some Modern TechniquesNull cipher

• Message hidden in plain sight and plain text

Big rumble in New Guinea.The war oncelebrity acts should end soon.Over fourbig ecstatic elephants replicated.

Bring two cases of beer.

CO1

Some Modern TechniquesImage watermarking

• Involves bit dropping, flipping, color separation, etc

From image of a tree, removing all but the two least significant bits of each color component produces an almost completely black image. Making that image 85 times brighter produces the cat image.

CO1

Some Modern TechniquesUV Watermarking

CO1

Some Modern TechniquesMachine ID Codes in Laser Printers

CO1

Some Modern TechniquesMachine ID Codes in Laser Printers

CO1

Some Modern TechniquesMachine ID Codes in Laser Printers

CO1

Some Modern TechniquesMachine ID Codes in Laser Printers

CO1

Some Modern TechniquesTypography

• Text lines shifted up/down (40 lines text ⇒ 240 codes)

• word space coding

• character encoding - minor changes to shapes of characters

CO1