Network Security and Cryptography

Network Security and Network Security and CryptographyCryptography

By Adam ReaganBy Adam ReaganCIS 504 – Data CommunicationsCIS 504 – Data Communications

The College of Saint Rose, Albany NYThe College of Saint Rose, Albany NYSpring 2008Spring 2008

A Need For SecurityA Need For Security

Growing computer use implies a need for Growing computer use implies a need for automated tools for protecting files and other automated tools for protecting files and other informationinformation

The use of networks and The use of networks and communications facilities for carrying communications facilities for carrying data between users and computers is data between users and computers is also growingalso growing

Network security measures are needed Network security measures are needed to protect data during transmissionto protect data during transmission

TCP/IP Communications SecurityTCP/IP Communications Security

Traffic is typically secured by using Traffic is typically secured by using SSL SSL or or VPNVPN

Secure Sockets LayerSecure Sockets Layer Older and more widely used protocolOlder and more widely used protocol Communicating applications have to be written to use Communicating applications have to be written to use

SSLSSL Applications do SSL processingApplications do SSL processing FlexibleFlexible

Virtual Private NetworksVirtual Private Networks Security is implemented at the IP or Data Link LayerSecurity is implemented at the IP or Data Link Layer

Aspects of SecurityAspects of Security

AttackAttack

MechanismMechanism

ServiceService

Security AttackSecurity Attack

Any action that compromises the security of Any action that compromises the security of informationinformationTwo examples:Two examples: PassivePassive - - Attempt to learn or make use of Attempt to learn or make use of

information from the system but does not affect information from the system but does not affect system resourcessystem resources

Monitor transmission to obtain message contents or Monitor transmission to obtain message contents or traffic analysistraffic analysisEavesdroppingEavesdroppingDifficult to detect because there is no alteration of dataDifficult to detect because there is no alteration of data

ActiveActive - Attempt to alter system resources or - Attempt to alter system resources or affect their operationaffect their operation

Modification of messages in transitModification of messages in transitDenial of serviceDenial of service

Other Types of AttacksOther Types of Attacks

InterruptionInterruption

An asset of the system is destroyed or An asset of the system is destroyed or becomes unavailablebecomes unavailable

Attack on Attack on availabilityavailability

Examples:Examples: Destruction of a piece of hardware (i.e. hard Destruction of a piece of hardware (i.e. hard

disk)disk) Cutting of a communication lineCutting of a communication line Disabling a file management systemDisabling a file management system

InterceptionInterception

An unauthorized person, program, or An unauthorized person, program, or computer gains access to an assetcomputer gains access to an asset

Attack on Attack on confidentialityconfidentiality

ExamplesExamples Wiretapping to capture data in a networkWiretapping to capture data in a network

ModificationModification

An asset is intercepted AND tamperedAn asset is intercepted AND tampered

Attack on Attack on integrityintegrity

Examples:Examples: Changing values in a data fileChanging values in a data file Altering a program to change performanceAltering a program to change performance Altering content of messages in transitAltering content of messages in transit

FabricationFabrication

An unauthorized party inserts counterfeit An unauthorized party inserts counterfeit objects into a systemobjects into a system

Attack on Attack on authenticityauthenticity

ExampleExample Addition of records to a data fileAddition of records to a data file

Security MechanismSecurity Mechanism

Designed to detect, prevent, or recover Designed to detect, prevent, or recover from a security attackfrom a security attack

Most security mechanisms make use of Most security mechanisms make use of cryptographic techniquescryptographic techniques

Encryption or encryption-like Encryption or encryption-like transformations of information are the transformations of information are the most common means of providing securitymost common means of providing security

More to come…More to come…

Security ServiceSecurity Service

Enhances the security of data processing Enhances the security of data processing systems and the information transfers of systems and the information transfers of an organizationan organization

Intended to counter security attacksIntended to counter security attacks

Make use of one or more security Make use of one or more security mechanisms to provide the servicemechanisms to provide the service

Examples of ServicesExamples of Services

ConfidentialityConfidentiality Information in a computer system and transmitted information Information in a computer system and transmitted information

are accessible only for reading by authorized partiesare accessible only for reading by authorized parties

AuthenticationAuthentication Origin of a message or file is correctly identified, with assurance Origin of a message or file is correctly identified, with assurance

that the identity is not falsethat the identity is not false

IntegrityIntegrity Only authorized parties are able to modify computer system Only authorized parties are able to modify computer system

assets and transmitted informationassets and transmitted information

AvailabilityAvailability Requires that computer system assets be available to authorized Requires that computer system assets be available to authorized

parties upon requestparties upon request

Conventional EncryptionConventional Encryption

Encryption scheme consists of 5 main features:Encryption scheme consists of 5 main features: PlaintextPlaintext – Original message – Original message Encryption AlgorithmEncryption Algorithm – Used to convert plaintext – Used to convert plaintext

into ciphertextinto ciphertext KeyKey – Information used to determine the functional – Information used to determine the functional

output of algorithmoutput of algorithmSecurity depends on secrecy of the key, not secrecy of Security depends on secrecy of the key, not secrecy of the algorithmthe algorithm

CiphertextCiphertext – Coded message – Coded message Decryption AlgorithmDecryption Algorithm – Used to recover plaintext – Used to recover plaintext

from ciphertextfrom ciphertext

Conventional Encryption Conventional Encryption TechniquesTechniques

SymmetricSymmetric, or , or Single-Key Single-Key encryptionencryption

Only one key is used to encrypt and Only one key is used to encrypt and decrypt messagesdecrypt messages

Therefore, sender and receiver share the Therefore, sender and receiver share the common keycommon key

The key is kept private from everyone elseThe key is kept private from everyone else

Single-Key Encryption SchematicSingle-Key Encryption Schematic

Substitution CiphersSubstitution Ciphers

Plaintext is replaced by different letters, Plaintext is replaced by different letters, numbers, or symbolsnumbers, or symbols

If plaintext is If plaintext is viewed as a sequence of bits, viewed as a sequence of bits, then substitution involves replacing then substitution involves replacing plaintext bit patterns with ciphertext bit plaintext bit patterns with ciphertext bit patternspatterns

Caesar CipherCaesar Cipher

Earliest known substitution cipherEarliest known substitution cipher

Developed by Julius Caesar for military Developed by Julius Caesar for military purposespurposes

Replace each letter by the letter which is 3 Replace each letter by the letter which is 3 positions ahead of itpositions ahead of it

Example:Example: Plaintext = MEET ME AFTER THE TOGA PARTYPlaintext = MEET ME AFTER THE TOGA PARTY Ciphertext = PHHW PH DIWHU WKH WRJD SDUWBCiphertext = PHHW PH DIWHU WKH WRJD SDUWB

Transposition CipherTransposition Cipher

Permutation ciphers Permutation ciphers

Hide the message by rearranging the letter Hide the message by rearranging the letter order WITHOUT altering the actual letters order WITHOUT altering the actual letters usedused

More recognizable because frequency More recognizable because frequency distribution is the same as the original text distribution is the same as the original text

Rail Fence CipherRail Fence Cipher

Write letters out diagonally over a number Write letters out diagonally over a number of rowsof rows

Then read off cipher row by rowThen read off cipher row by row

Example:Example:M E M A T R H T G P R YM E M A T R H T G P R Y

E T E F E T E O A A T E T E F E T E O A A T

Ciphertext = Ciphertext = MEMATRHTGPRYETEFETEOAATMEMATRHTGPRYETEFETEOAAT

Data Encryption Standard (DES)Data Encryption Standard (DES)

Selected as an official Federal Information Processing Selected as an official Federal Information Processing Standard (FIPS) for the U.S. in 1976Standard (FIPS) for the U.S. in 1976Block cipher (as opposed to a Stream cipher, where Block cipher (as opposed to a Stream cipher, where plaintext is processed on bit or byte at a time)plaintext is processed on bit or byte at a time)

Plaintext is processed in 64-bit blocksPlaintext is processed in 64-bit blocks

The algorithm used is called the Data Encryption The algorithm used is called the Data Encryption Algorithm (DEA)Algorithm (DEA)

Transforms 64-bit input in a series of steps into a 64-bit outputTransforms 64-bit input in a series of steps into a 64-bit output The same steps are used to decrypt messagesThe same steps are used to decrypt messages Sender and receiver share the same key (Symmetric)Sender and receiver share the same key (Symmetric)

Now considered to be insecureNow considered to be insecure Key size is 56 bits, considered to be too smallKey size is 56 bits, considered to be too small

TDES and AESTDES and AES

TDESTDES Triple DES – Use algorithm 3 timesTriple DES – Use algorithm 3 times 3 different keys (56-bits each)3 different keys (56-bits each) 168 bits total (192 if parity bits are included)168 bits total (192 if parity bits are included) Superceded by Superceded by AESAES

AESAES Advanced Encryption StandardAdvanced Encryption Standard Fixed block size of 128 bitsFixed block size of 128 bits Key size can be 128, 192, or 256 bitsKey size can be 128, 192, or 256 bits

Public-Key CryptographyPublic-Key Cryptography

Asymmetric CryptographyAsymmetric Cryptography

Two keys are used for encryption and Two keys are used for encryption and decryption of messagesdecryption of messages One is public, the other privateOne is public, the other private Keys are related mathematically, but the Keys are related mathematically, but the

private key cannot be practically derived from private key cannot be practically derived from the public keythe public key

A message encrypted with the public key can A message encrypted with the public key can only be decrypted by using the private keyonly be decrypted by using the private key

Number TheoryNumber Theory

Prime NumbersPrime Numbers Basic building blocks of numbersBasic building blocks of numbers An integer An integer p p > 1 is prime if its only divisors are > 1 is prime if its only divisors are

±±1 and 1 and ±±pp Occur at random intervals along the number Occur at random intervals along the number

lineline

Number TheoryNumber Theory

Relatively Prime NumbersRelatively Prime Numbers Two integers are relatively prime if their only Two integers are relatively prime if their only

common factor is 1common factor is 1 If a and be are integersIf a and be are integers

a and b are relatively prime if gcd(a, b) = 1a and b are relatively prime if gcd(a, b) = 1

gcd = greatest common divisorgcd = greatest common divisor

Example:Example: 8 and 15 are relatively prime because the divisors of 8 8 and 15 are relatively prime because the divisors of 8

are 1, 2, 4, and 8. The divisors of 15 are 1, 3, 5, and 15. are 1, 2, 4, and 8. The divisors of 15 are 1, 3, 5, and 15. Therefore, 1 is the greatest common divisorTherefore, 1 is the greatest common divisor

Euler Totient FunctionEuler Totient Function

ΦΦ(n)(n)

Returns the number of positive integers Returns the number of positive integers that are relatively prime to that are relatively prime to nn

For a prime number For a prime number pp ΦΦ(p) = p – 1(p) = p – 1 Since all numbers less than Since all numbers less than p p are relatively are relatively

prime to prime to pp

The RSA AlgorithmThe RSA Algorithm

Published by Ron Rivest, Adi Shamir, and Published by Ron Rivest, Adi Shamir, and Len Adleman in 1978Len Adleman in 1978

Best known and widely used public-key Best known and widely used public-key schemescheme

Block cipher in which plaintext and Block cipher in which plaintext and ciphertext are integers between 0 and ciphertext are integers between 0 and nn – – 1 for some 1 for some nn

RSA Key GenerationRSA Key Generation

1) Select to prime numbers: 1) Select to prime numbers: p, qp, q Private, chosenPrivate, chosen

2) Calculate 2) Calculate n = pqn = pq Public, calculatedPublic, calculated

3) Calculate 3) Calculate ΦΦ(n) = (p(n) = (p-1-1)(q)(q-1-1))4) Select an integer 4) Select an integer e e such that:such that:

gcd(gcd(ΦΦ(n), e) = (n), e) = 1 and 1 < 1 and 1 < e e < < ΦΦ(n)(n) Public, chosenPublic, chosen

5) Calculate 5) Calculate d d where where d = ed = e-1-1modmodΦΦ(n)(n) ed = ed = 1 mod 1 mod ΦΦ(n)(n) Private, calculatedPrivate, calculated

The keys generated are denoted:The keys generated are denoted: KU = {KU = {e, ne, n} (Public Key)} (Public Key) KR = {KR = {d, nd, n} (Private Key)} (Private Key)

RSA Encryption/DecryptionRSA Encryption/Decryption

To encrypt a message M the sender:To encrypt a message M the sender: Obtains Obtains public keypublic key of recipient KU={ of recipient KU={e,ne,n} } Computes: C = MComputes: C = Mee mod n mod n

Where 0Where 0≤≤MM<<nn

To decrypt the ciphertext C the owner:To decrypt the ciphertext C the owner: Uses their private key KR={Uses their private key KR={d,nd,n} } Computes: M = CComputes: M = Cdd mod n mod n

An ExampleAn Example

1) Let 1) Let p = p = 7 and 7 and q = q = 17172) 2) n = pq = n = pq = 7 x 17 = 1197 x 17 = 1193) 3) ΦΦ(n) = (p(n) = (p-1-1)(q)(q-1-1)) = 6 X 16 = 96 = 6 X 16 = 964) Let 4) Let e = e = 55 gcd(gcd(ΦΦ(n), e) = (n), e) = gcd(96,5) =gcd(96,5) = 11 1 < 51 < 5 < 96< 96

5) 5) d = ed = e-1-1modmodΦΦ(n)(n) Therefore, Therefore, de = de = 1 mod 961 mod 96 d = 77d = 77

77 x 5 = 385 = 4 x 96 + 177 x 5 = 385 = 4 x 96 + 1

Example - Key GenerationExample - Key Generation

The two resulting keys are as follows:The two resulting keys are as follows: Public Key: KU = {Public Key: KU = {e,ne,n} = {5, 119}} = {5, 119} Private Key: KR = {Private Key: KR = {d,nd,n} = {77, 119}} = {77, 119}

Example - EncryptionExample - Encryption

To encrypt a message M, where M = 19:To encrypt a message M, where M = 19: C = MC = Mee mod n mod n 191955 mod 119 = 2476099 mod 119 mod 119 = 2476099 mod 119 2476099 / 119 = 20807 with a remainder of 662476099 / 119 = 20807 with a remainder of 66 Therefore, C = 66Therefore, C = 66

Example - DecryptionExample - Decryption

M = CM = Cdd mod n mod n

66667777mod 119 = (1.27 x 10mod 119 = (1.27 x 10140140) mod 119) mod 119

(1.27 x 10(1.27 x 10140140) / 119 = (1.06 x 10) / 119 = (1.06 x 10138138) with a ) with a remainder of 19remainder of 19

Therefore, M = 19Therefore, M = 19

SummarySummary

Valuable information is constantly being Valuable information is constantly being exchanged between usersexchanged between users

A means to protect this information during A means to protect this information during transmission is criticaltransmission is critical

Methods of security that were developed years Methods of security that were developed years ago are still being used (DES, RSA)ago are still being used (DES, RSA)

The need for more complex The need for more complex encryption/decryption methods may be needed encryption/decryption methods may be needed as advances in technology continue to flourishas advances in technology continue to flourish

ResourcesResources

http://en.wikipedia.org/wiki/Data_Encryption_Stahttp://en.wikipedia.org/wiki/Data_Encryption_Standardndardhttp://en.wikipedia.org/wiki/Rsahttp://en.wikipedia.org/wiki/Rsahttp://www.redbooks.ibm.com/abstracts/http://www.redbooks.ibm.com/abstracts/sg246168.htmlsg246168.htmlStallings, William. Stallings, William. Cryptography and Internet Cryptography and Internet Security: Principles and Practice, Security: Principles and Practice, 2e. Upper 2e. Upper Saddle River, NJ: Prentice-Hall, 1999Saddle River, NJ: Prentice-Hall, 1999Stallings, William. Stallings, William. Network Security Essentials: Network Security Essentials: Applications and Standards, 3e.Applications and Standards, 3e.