Network Security

1

Network SecurityNetwork Security

introduction introduction cryptography cryptography authentication authentication key exchange key exchange Reading: Tannenbaum, section 7.1 Reading: Tannenbaum, section 7.1

Ross/Kurose, Ch 7 (which is incomplete)Ross/Kurose, Ch 7 (which is incomplete)

2

Network SecurityNetwork Security

Intruder mayIntruder may eavesdrop eavesdrop remove, modify, and/or insert messages remove, modify, and/or insert messages read and playback messages read and playback messages

3

Important issues:Important issues:

cryptography:cryptography: secrecy of info being transmitted secrecy of info being transmitted authentication:authentication: proving who you are and having proving who you are and having

correspondent prove his/her/its identity correspondent prove his/her/its identity

4

Security in Computer Networks Security in Computer Networks

User resources:User resources: login passwords often transmitted unencrypted in login passwords often transmitted unencrypted in

TCP packets between applications (e.g., telnet, ftp) TCP packets between applications (e.g., telnet, ftp) passwords provide little protection passwords provide little protection

5

Network resources:Network resources: often completely unprotected from intruder eavesdropping, often completely unprotected from intruder eavesdropping,

injection of false messages injection of false messages mail spoofs, router updates, ICMP messages, network mail spoofs, router updates, ICMP messages, network

management messages management messages

Bottom line:Bottom line: intruder attaching his/her machine (access to OS code, root intruder attaching his/her machine (access to OS code, root

privileges) onto network can override many system-privileges) onto network can override many system-provided security measures provided security measures

users must take a more active role users must take a more active role

6

EncryptionEncryption

plaintext:plaintext: unencrypted message unencrypted message

ciphertext:ciphertext: encrypted form of message encrypted form of message

Intruder may Intruder may intercept ciphertext transmission intercept ciphertext transmission intercept plaintext/ciphertext pairs intercept plaintext/ciphertext pairs obtain encryption decryption algorithms obtain encryption decryption algorithms

7

A simple encryption algorithm A simple encryption algorithm

Substitution cipher:Substitution cipher:

abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz

poiuytrewqasdfghjklmnbvczxpoiuytrewqasdfghjklmnbvczx replace each plaintext character in message with replace each plaintext character in message with

matching ciphertext character: matching ciphertext character:

plaintext:plaintext: Charlotte, my loveCharlotte, my love

ciphertext:ciphertext: iepksgmmy, dz sgbyiepksgmmy, dz sgby

8

key is pairing between plaintext characters key is pairing between plaintext characters and ciphertext characters and ciphertext characters

symmetric key:symmetric key: sender and receiver use sender and receiver use same key same key

26! (approx 10^26) different possible keys: 26! (approx 10^26) different possible keys: unlikely to be broken by random trials unlikely to be broken by random trials

substitution cipher subject to decryption using substitution cipher subject to decryption using observed frequency of letters observed frequency of letters 'e' most common letter, 'the' most common word 'e' most common letter, 'the' most common word

9

DES: Data Encryption Standard DES: Data Encryption Standard

encrypts data in 64-bit chunks encrypts data in 64-bit chunks encryption/decryption algorithm is a published encryption/decryption algorithm is a published

standard standard everyone knows how to do it everyone knows how to do it

substitution cipher over 64-bit chunks: 56-bit substitution cipher over 64-bit chunks: 56-bit key determines which of 56! substitution key determines which of 56! substitution ciphers used ciphers used substitution: 19 stages of transformations, 16 substitution: 19 stages of transformations, 16

involving functions of keyinvolving functions of key

10

decryption done by reversing encryption steps decryption done by reversing encryption steps sender and receiver must use same key sender and receiver must use same key

11

Key Distribution Problem Key Distribution Problem

Problem: Problem: how do communicant agree on how do communicant agree on symmetric key? symmetric key? N communicants implies N keys N communicants implies N keys

Trusted agent distribution:Trusted agent distribution: keys distributed by centralized trusted agent keys distributed by centralized trusted agent any communicant need only know key to any communicant need only know key to

communicate with trusted agent communicate with trusted agent for communication between i and j, trusted agent for communication between i and j, trusted agent

will provide a key will provide a key

12

We will cover in more detail shortlyWe will cover in more detail shortly

13

Public Key CryptographyPublic Key Cryptography

separate encryption/decryption keys separate encryption/decryption keys receiver makes receiver makes knownknown (!) its encryption key (!) its encryption key receiver keeps its decryption key secret receiver keeps its decryption key secret

to send to receiver B, encrypt message M to send to receiver B, encrypt message M using B's publicly available key, EB using B's publicly available key, EB send EB(M) send EB(M)

to decrypt, B applies its private decrypt key to decrypt, B applies its private decrypt key DB to receiver message: DB to receiver message: computing DB( EB(M) ) gives M computing DB( EB(M) ) gives M

14

knowing encryption key does not help with decryption; knowing encryption key does not help with decryption; decryption is a non-trivial inverse of encryption decryption is a non-trivial inverse of encryption

only receiver can decrypt message only receiver can decrypt message

Question:Question: good encryption/decryption algorithms good encryption/decryption algorithms

15

RSA: public key RSA: public key encryption/decryption encryption/decryption

RSA:RSA: a public key algorithm for encrypting/decrypting a public key algorithm for encrypting/decrypting

Entity wanting to receive encrypted messages: Entity wanting to receive encrypted messages: choose two prime numbers, choose two prime numbers, p, qp, q greater than 10^100 greater than 10^100 compute compute n=pqn=pq and and z = (p-1)(q-1)z = (p-1)(q-1) choose number choose number dd which has no common factors with which has no common factors with zz compute compute ee such that such that ed = 1ed = 1 mod mod zz, i.e., , i.e.,

integer-remainder( (ed) / ((p-1)(q-1)) ) = 1integer-remainder( (ed) / ((p-1)(q-1)) ) = 1, i.e., , i.e.,

ed = k(p-1)(q-1) +1ed = k(p-1)(q-1) +1 three numbers: three numbers:

e, ne, n made public made public dd kept secret kept secret

16

RSA (continued)RSA (continued)

to encrypt:to encrypt: divide message into blocks, {divide message into blocks, {b_i}b_i} of size of size jj: : 2^j < n2^j < n encrypt: encrypt: encrypt(b_i) = b_I^e mod nencrypt(b_i) = b_I^e mod n

to decrypt:to decrypt: b_i = encrypt(b_i)^db_i = encrypt(b_i)^d

to break RSA:to break RSA: need to know need to know p, qp, q, given , given pq=npq=n, , nn known known factoring 200 digit factoring 200 digit nn into primes takes 4 billion years using into primes takes 4 billion years using

known methods known methods

17

RSA exampleRSA example

choose choose p=3p=3, , q=11q=11, gives , gives n=33n=33, , (p-1)(q-1)=z=20(p-1)(q-1)=z=20 choose choose d = 7d = 7 since 7 and 20 have no common since 7 and 20 have no common

factors factors compute compute e = 3e = 3, so that , so that ed = k(p-1)(q-1)+1ed = k(p-1)(q-1)+1 (note: (note:

k=1k=1 here) here)

18

plaintext e=3 ciphertextchar # #^3 #^3 mod 33S 19 6859 28U 21 9261 21N 14 2744 5

ciphertext

d=7 plaintext

c c^7 c^7 mod33

char

28 13492928512 19 S21 1801 21 N

19

Further notes on RSAFurther notes on RSA

why does RSA work?why does RSA work? crucial number theory result: if crucial number theory result: if p, qp, q prime then prime then b_i^((p-1)(q-1)) b_i^((p-1)(q-1)) modmod pq = 1 pq = 1 using modusing mod pq pq arithmetic: arithmetic: (b^e)^d(b^e)^d = = b^{ed}b^{ed}

= = b^{k(p-1)(q-1)+1}b^{k(p-1)(q-1)+1} for some for some kk

= = b b^(p-1)(q-1) b^(p-1)(q-1) ... b^(p-1)(q-1) b b^(p-1)(q-1) b^(p-1)(q-1) ... b^(p-1)(q-1)

= = b 1 1 ... 1 b 1 1 ... 1

= = bb Note:Note: we can also encrypt with we can also encrypt with dd and encrypt with and encrypt with ee. . this will be useful shortly this will be useful shortly

20

How to break RSA?How to break RSA?

Brute force: get B's public key Brute force: get B's public key for each possible for each possible b_ib_i in plaintext, compute in plaintext, compute b_i^eb_i^e for each observed for each observed b_i^eb_i^e, we then know , we then know b_ib_i moral: choose size of moral: choose size of b_ib_i "big enough" "big enough"

21

man-in-the-middle: intercept keys, spoof identity:man-in-the-middle: intercept keys, spoof identity:

22

AuthenticationAuthentication

Question:Question: how does a receiver know that remote how does a receiver know that remote communicating entity is who it is claimed to be?communicating entity is who it is claimed to be?

23

Authentication Protocol (ap)Authentication Protocol (ap)

Ap 1.0Ap 1.0 Alice to Bob: “I am Alice”Alice to Bob: “I am Alice” Problem: intruder “Trudy” can also send such a messageProblem: intruder “Trudy” can also send such a message

Ap 2.0Ap 2.0 Authenticate source IP address is from Alice’s machineAuthenticate source IP address is from Alice’s machine Problem: IP Spoofing (send IP packets with a false Problem: IP Spoofing (send IP packets with a false

address)address)

Ap 3.0: use a secret passwordAp 3.0: use a secret password Alice to Bob: “I am Alice, here is my password” (e.g., telnet)Alice to Bob: “I am Alice, here is my password” (e.g., telnet) Problem: Trudy can intercept Alice’s password by sniffing Problem: Trudy can intercept Alice’s password by sniffing

packetspackets

24

Authentication ProtocolAuthentication Protocol

Ap 3.1:Ap 3.1: use encryptionuse encryption

use a symmetric key known to Alice and Bobuse a symmetric key known to Alice and Bob Alice & Bob (only) know secure key for encryption/decryption Alice & Bob (only) know secure key for encryption/decryption

A to B: msg = encrypt("I am A")A to B: msg = encrypt("I am A")

B computes: if decrypt(msg)=="I am A"B computes: if decrypt(msg)=="I am A"

then A is verifiedthen A is verified

else A is fradulentelse A is fradulent

failure scenarios: playback attackfailure scenarios: playback attack Trudy can intercept Alice’s message and masquerade as Alice at a Trudy can intercept Alice’s message and masquerade as Alice at a

later timelater time

25

Authentication Using Nonces Authentication Using Nonces

Problem with ap 3.1: same password is used for all sessionsProblem with ap 3.1: same password is used for all sessionsSolution:Solution: use a sequence of passwords use a sequence of passwords

pick a "once-in-a-lifetime-only" number (nonce) for each sessionpick a "once-in-a-lifetime-only" number (nonce) for each session

Ap 4.0Ap 4.0A to B: msg = "I am A" /* note: unencrypted message! */A to B: msg = "I am A" /* note: unencrypted message! */B to A: once-in-a-lifetime value, nB to A: once-in-a-lifetime value, nA to B: msg2 = encrypt(n) /* use symmetric keys */A to B: msg2 = encrypt(n) /* use symmetric keys */B computes: if decrypt(msg2)==nB computes: if decrypt(msg2)==n

then A is verifiedthen A is verified else A is fradulentelse A is fradulent

note similarities to three way handshake and initial sequence number choice note similarities to three way handshake and initial sequence number choice problems with nonces? problems with nonces?

26

Authentication Using Public KeysAuthentication Using Public Keys

Ap 4.0 uses symmetric keys for authenticationAp 4.0 uses symmetric keys for authenticationQuestion: can we use public keys? Question: can we use public keys?

symmetry:symmetry: DA( EA(n) ) = EA ( DA(n) ) DA( EA(n) ) = EA ( DA(n) )

AP 5.0AP 5.0A to B: msg = "I am A"A to B: msg = "I am A"B to A: once-in-a-lifetime value, B to A: once-in-a-lifetime value, nnA to B: msg2 = DA(A to B: msg2 = DA(nn))B computes: if EA (DA(B computes: if EA (DA(nn))== ))== nn

then A is verifiedthen A is verified else A is fradulentelse A is fradulent

27

Problems with Ap 5.0Problems with Ap 5.0

Bob needs Alice’s public key for authenticationBob needs Alice’s public key for authentication Trudy can impersonate as Alice to BobTrudy can impersonate as Alice to Bob

– Trudy to Bob: msg = “I am Alice”Trudy to Bob: msg = “I am Alice”– Bob to Alice: nonce n (Trudy intercepts this message)Bob to Alice: nonce n (Trudy intercepts this message)– Trudy to Bob: msg2= DT(n)Trudy to Bob: msg2= DT(n)– Bob to Alice: send me your public key (Trudy intercepts)Bob to Alice: send me your public key (Trudy intercepts)– Trudy to Bob: send ET (claiming it is EA)Trudy to Bob: send ET (claiming it is EA)– Bob: verify ET(DT(n)) == n and authenticates Trudy as Bob: verify ET(DT(n)) == n and authenticates Trudy as

Alice!!Alice!! Moral: Ap 5.0 is only as “secure” as public key Moral: Ap 5.0 is only as “secure” as public key

distributiondistribution

28

Man-in-the-middle AttackMan-in-the-middle Attack

Trudy impersonates as Alice to Bob and as Bob to Trudy impersonates as Alice to Bob and as Bob to AliceAlice

Alice Trudy BobAlice Trudy Bob “ “I am A” “I am A”I am A” “I am A” nonce n nonce n DT(n)DT(n) send me ETsend me ET ETET nonce nnonce n DA(n)DA(n) send me EAsend me EA EAEA

Bob sends data using ET, Trudy decrypts and forwards it Bob sends data using ET, Trudy decrypts and forwards it using EA!! (Trudy using EA!! (Trudy transparentlytransparently intercepts every message) intercepts every message)

29

Digital Signatures Using Public Digital Signatures Using Public KeysKeys

Goals of digital signatures:Goals of digital signatures: sender cannot repudiate message never sent ("I never sent that") sender cannot repudiate message never sent ("I never sent that") receiver cannot fake a received message receiver cannot fake a received message

Suppose A wants B to "sign" a message M Suppose A wants B to "sign" a message M

B sends DB(M) to AB sends DB(M) to A

A computes if EB ( DB(M)) == MA computes if EB ( DB(M)) == M

then B has signed Mthen B has signed M

Question:Question: can B plausibly deny having sent M? can B plausibly deny having sent M?

30

Message DigestsMessage Digests

Encrypting and decrypting entire messages using digital Encrypting and decrypting entire messages using digital signatures is computationally expensivesignatures is computationally expensive

Routers routinely exchange dataRouters routinely exchange data– Does not need encryptionDoes not need encryption– Needs authentication and verify that data hasn’t changedNeeds authentication and verify that data hasn’t changed

Message digests: like a checksumMessage digests: like a checksum Hash function H: converts variable length string to fixed length hashHash function H: converts variable length string to fixed length hash Digitally sign H(M)Digitally sign H(M) Send M, EA(H(m))Send M, EA(H(m)) Can verify who sent the message and that it has been changed!Can verify who sent the message and that it has been changed!

Property of HProperty of H Given a digest x, it is infeasible to find a message y such that H(y) = xGiven a digest x, it is infeasible to find a message y such that H(y) = x It is infeasible to find any two messages x and y such that H(x) = H(y)It is infeasible to find any two messages x and y such that H(x) = H(y)

31

Symmetric key exchange: trusted Symmetric key exchange: trusted serverserver

Problem:Problem: how do distributed entities agree on a key? how do distributed entities agree on a key?

Assume:Assume: each entity has its own single key, which each entity has its own single key, which only it and trusted server knowonly it and trusted server know

Server:Server: will generate a one-time session key that A and B will generate a one-time session key that A and B

use to encrypt communication use to encrypt communication will use A and B's single keys to communicate will use A and B's single keys to communicate

session key to A, B session key to A, B

32

33

Symmetric Key exchange: trusted Symmetric Key exchange: trusted serverserver

Preceding scenario: Preceding scenario:

1.1. A sends encrypted msg to S, containing A, B, nonce RA: EA(A,B,RA) A sends encrypted msg to S, containing A, B, nonce RA: EA(A,B,RA)

2. 2. S decrypts using DA, generates one time session key, K, sends S decrypts using DA, generates one time session key, K, sends nonce, key, and B-encrypted encoding of key to A: nonce, key, and B-encrypted encoding of key to A: EA(RA,B,K,EB(K,A)) EA(RA,B,K,EB(K,A))

3. 3. A decrypts msg from S using DA and verifies nonce. Extracts K, A decrypts msg from S using DA and verifies nonce. Extracts K, saves it and sends EB(K,A) to B. saves it and sends EB(K,A) to B.

4. 4. B decrypts msg using DB, extracts K, generates new nonce RB, B decrypts msg using DB, extracts K, generates new nonce RB, sends EK(RB) to A sends EK(RB) to A

5. 5. A decrypts using K, extracts RB, computes RB-1 and encrypts using A decrypts using K, extracts RB, computes RB-1 and encrypts using K. Sends EK(RB-1) to B K. Sends EK(RB-1) to B

6. 6. B decrypts using K and verifies RB-1 B decrypts using K and verifies RB-1

34

Public key exchange: trusted Public key exchange: trusted serverserver

public key retrieval subject to man-in-middle attack public key retrieval subject to man-in-middle attack locate all public keys in trusted server locate all public keys in trusted server everyone has server's encryption key (ED public) everyone has server's encryption key (ED public) suppose A wants to send to B using B's "public" key suppose A wants to send to B using B's "public" key

35

Protection against Intruders: Protection against Intruders: FirewallsFirewalls

36

Firewall:Firewall: network components (host/router+software) network components (host/router+software) sitting between inside ("us") and outside ("them) sitting between inside ("us") and outside ("them)

Packet filtering firewallsPacket filtering firewalls:: drop packets on basis of drop packets on basis of source or destination address (i.e., IP address, port) source or destination address (i.e., IP address, port)

Application gateways:Application gateways: application specific code application specific code intercepts, processes and/or relays application intercepts, processes and/or relays application specific packets specific packets e.g., email of telnet gateways e.g., email of telnet gateways application gateway code can be security hardened application gateway code can be security hardened can log all activity can log all activity

37

Secure EmailSecure Email

Requirements:Requirements: SecrecySecrecy Sender authenticationSender authentication Message integrityMessage integrity Receiver authenticationReceiver authentication

SecrecySecrecy Can use public keys to encrypt messagesCan use public keys to encrypt messages

– Inefficient for long messagesInefficient for long messages Use symmetric keysUse symmetric keys

– Alice generates a symmetric key KAlice generates a symmetric key K– Encrypt message M with KEncrypt message M with K– Encrypt K with EEncrypt K with EBB

– Send K(M), ESend K(M), EBB(K)(K)– Bob decrypts using his private key, gets K, decrypts K(M)Bob decrypts using his private key, gets K, decrypts K(M)

38

Secure EmailSecure Email

Authentication and Integrity (with no secrecy)Authentication and Integrity (with no secrecy) Alice applies hash function H to M (H can be MD5)Alice applies hash function H to M (H can be MD5) Creates a digital signature DCreates a digital signature DAA(H(M))(H(M)) Send M, DSend M, DAA(H(M)) to Bob(H(M)) to Bob

Putting it all togetherPutting it all together Compute H(M), DCompute H(M), DAA(H(M))(H(M)) M’= { H(M), DM’= { H(M), DAA(H(M)) }(H(M)) } Generate symmetric key K, compute K(M’)Generate symmetric key K, compute K(M’) Encrypt K as EEncrypt K as EBB(K)(K) Send K(M’), ESend K(M’), EBB(K)(K)

Used in PGP (pretty good privacy)Used in PGP (pretty good privacy)

39

Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)

SSL: Developed by Netscape SSL: Developed by Netscape Provides data encryption and authentication between web Provides data encryption and authentication between web

server and clientserver and client SSL lies above the transport layerSSL lies above the transport layer Useful for Internet Commerce, secure mail access (IMAP)Useful for Internet Commerce, secure mail access (IMAP) Features:Features:

– SSL server authenticationSSL server authentication– Encrypted SSL sessionEncrypted SSL session– SSL client authenticationSSL client authentication

40

Secure Socket LayerSecure Socket Layer

Protocol: https instead of httpProtocol: https instead of http Browser -> Server: B’s SSL version and preferencesBrowser -> Server: B’s SSL version and preferences S->B: S’s SSL version, preferences, and certificateS->B: S’s SSL version, preferences, and certificate

– Certificate: server’s RSA public key encrypted by CA’s private keyCertificate: server’s RSA public key encrypted by CA’s private key B: uses its list of CAs and public keys to decrypt S’s public B: uses its list of CAs and public keys to decrypt S’s public

keykey B->S: generate K, encrypt K with with EB->S: generate K, encrypt K with with ESS

B->S: “future messages will be encrypted”, and K(m)B->S: “future messages will be encrypted”, and K(m) S->B: “future messages will be encrypted”, and K(m)S->B: “future messages will be encrypted”, and K(m) SSL session begins…SSL session begins…

41

SSLSSL

SET: secure electronic transactions [Visa, Mastercard]SET: secure electronic transactions [Visa, Mastercard] Designed for secure credit card paymentDesigned for secure credit card payment Includes client, merchant and merchant’s bankIncludes client, merchant and merchant’s bank Homework: read up on SET from KR 7.7.2Homework: read up on SET from KR 7.7.2

Homework: get your own digital certificateHomework: get your own digital certificate Click on “security” icon (next to “print” icon) in Netscape 4.7Click on “security” icon (next to “print” icon) in Netscape 4.7 Click on “Certificates” and then on “obtain your certificate”Click on “Certificates” and then on “obtain your certificate” Send an email to yourself signed with your certificateSend an email to yourself signed with your certificate Also examine listed of trusted CAs built into the browserAlso examine listed of trusted CAs built into the browser

42

Security: Internet activitySecurity: Internet activity

IP layer:IP layer: authentication of header: receiver can authenticate sender using authentication of header: receiver can authenticate sender using

messageauthentication code (MAC) messageauthentication code (MAC) encryption of contents: DES, RFC 1829 encryption of contents: DES, RFC 1829

API API SSL - secure socket layer: support for authentication and encryption SSL - secure socket layer: support for authentication and encryption

port numbers: 443 for http with SSL, 465 for smtp with SSL port numbers: 443 for http with SSL, 465 for smtp with SSL

Application LayerApplication Layer Privacy Enhanced Mail (PEM)Privacy Enhanced Mail (PEM) secure http: supports many authentication, encryption schemes secure http: supports many authentication, encryption schemes

43

Secure EmailSecure Email

PEMPEM : : operates on top of SMTPoperates on top of SMTP

ASCIIASCII msg authentication - MD2, MD5msg authentication - MD2, MD5 msg encryption - RSA, DESmsg encryption - RSA, DES authenticated encrypted msgs and encrypted authenticated encrypted msgs and encrypted

authenticated msgsauthenticated msgs

PGP (Pretty Good Privacy):PGP (Pretty Good Privacy): secure file transfer (incl. secure file transfer (incl. email) email) binary filesbinary files

44

Security: conclusionSecurity: conclusionkey concerns:key concerns: encryption encryption authentication authentication key exchange key exchange

also:also: increasingly an important area as network connectivity increases increasingly an important area as network connectivity increases digital signatures, digital cash, authentication, increasingly important digital signatures, digital cash, authentication, increasingly important an important social concern an important social concern further reading: further reading:

Crypto Policy Perspectives: S. Landau et al., Aug 1994 CACM Crypto Policy Perspectives: S. Landau et al., Aug 1994 CACM Internet Security, R. Oppliger, CACM May 1997 Internet Security, R. Oppliger, CACM May 1997 www.eff.org www.eff.org