Top Banner
Network Security
23

Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Jan 11, 2016

Download

Documents

Elijah Reeves
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Network Security

Page 2: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Network Security

• Information secrecy-only specified parties know the information exchanged. Provided by criptography.

• Information integrity-the information is unaltered received by the specified party. Provided by digital signatures.

• Authenticaton-user is communicating with the user with whom he/she thinks is communicating.

Page 3: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Cryptography

The encryption model (for a symmetric-key cipher).

Page 4: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Symmetric-Key Algorithms

• Transmitting and receiving users have the same key that they agreed on somehow.

• Plain text, P, is encrypted by the transmitting user based on key, K, and becomes EK(P). Receiver is decrypting EK(P) using the same key, and obtains plaintext P=DK(EK(P)). Function P is impossible (or very hard) to guess from EK(P).

• DES – Data Encryption Standard– Key has 64 bits

• AES – Advanced Encryption Standard– Key has 128 bits

Page 5: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Public-Key Algorithms

• Each user has a public and a private key.

• Plain text, P, is encrypted by the transmitting user based on the public key of the receiving user, Bpub, and becomes EBpub(P).

• Receiving user is decrypting the message using its private key Bpri and obtains plaintext P=DBpri(EBpub(P)).

Page 6: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Public-Key Algorithms

• RSA (Rivest,Shamir, Adleman)

1. Choose two large prime numbers p and q (typically 1024 bits)

2. Compute n=pxq and z=(p-1)x(q-1)

3. Choose a number relatively prime to z and call it d.

4. Find e such that exd=1mod z

5. Public key is (n,e), private key is (n,d)

6. Encryption is C=Pemod n

7. Decryption is P=Cd mod n

Page 7: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Learning Shared Keys

• Encryption using a symmetric shared key is much faster. Users can exchange the shared key, either by using public keys or key distribution centers (KDC).

• Transmitting user encrypts the shared-key using public key of the receiving user. Receiving user decrypts the message and learns the shared key.

• KDC has a key for each user. User A sends encrypted request that it wants to communicate with user B. KDC sends the shared key, S, and encrypted pair EB(A,S).

Page 8: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Digital Signatures

• Ensure to the receiving party that it is receive the exact information that was sent my the transmitting party.

• For example, transmitting user adds to the plaintext the signature which is the encrypted plaintext using its private key. Receiving user decrypts the signature using the public key of the transmitting user, and compares with the plaintext.

Page 9: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Public-Key Signatures

Digital signatures using public-key cryptography.

,P ,P,P)

P

Page 10: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Digital Signatures Using Message Digests (MD5,SHA-1)

• Forming the signature by encrypting the entire plaintext is time consuming, and incurs an inefficient communication.

• For this reason, a message digest is derived from the plaintext (message). Message digest is a function of the plaintext such that it is computationaly infeasible to find two messages with the same message digest (hash). Singature is encrypted hash.

• Since the message digest is much shorter than the message itself, the signature takes less time to compute and less bandwidth to transfer.

Page 11: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Authentication Protocol(Shared Key)

• User A sends to user B “I am A”, and nonce RA.

• B sends a nonce RB and HASH(RA,RB,A,B,S) to A.

• A sends HASH(RA,RB,S) and sends it to B

Page 12: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Authentication Protocol(Public Key)

• User A sends to user B “I am A”, and RA.

• B sends a nonce RB and EBpriv(RA,RB,A,B) to A.

• A decrypts encrypted part of the message to check if it is B and sends encrypted nonces using its private key EApriv(RA,RB) and sends it to B.

• B decrypts encrypted message and checks if this is really A.

Page 13: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Management of Public Keys

• How users learn real public keys of other users.

• Certificate comprises the public key and basic data about some user, and is signed by the certificate authority (CA).

• X.509 defines certificate’s format.

• Public key infrastructures comprises CAs that are organized hierarchicaly.

Page 14: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Certificates

A possible certificate and its signed hash.

+ Alg for hashing,Certificate Authority,

Time validity

Page 15: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Public-Key Infrastructures

(a) A hierarchical PKI. (b) A chain of certificates.

Page 16: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Network Security in Practice

• IPsec• Firewalls• Virtual Private Networks (VPNs)• E-mail security (Pretty Good

Privacy-PGP)• DNS security• WWW security (Secure Sockets

Layer-SSL)

Page 17: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

IPsec based onAuthentication Header Protocol

The IPsec authentication header in transport mode for IPv4.

Determines security association with IP source address and security protocol

Using encrypted message disgest based on a shared key

Page 18: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

IPsec based onEncapsulation Security Payload Protocol

(a) ESP in transport mode. (b) ESP in tunnel mode.

Page 19: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Firewalls

• Two types: packet filtering, and application gateways.

• Packet filtering is done based on IP addresses, TCP or UDP ports, ICMP message type, TCP SYN or ACK bits (first segment has ACK=0 so this prevents outside users to open TCP connections with inside servers).

• Application gateways may restrict certain applications to certain users.

Page 20: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Virtual Private Networks

(a) A leased-line private network. (b) A virtual private network.

Page 21: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

E-mail SecurityPGP – Pretty Good Privacy

PGP in operation for sending a message.

International DataEncryption Alg

Page 22: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

Secure DNS

An example RRSet for bob.com. The KEY record is Bob's public key. The SIG record is the top-level com server's signed hash of A and KEY records to verify their authenticity.

Page 23: Network Security. Information secrecy-only specified parties know the information exchanged. Provided by criptography. Information integrity-the information.

SSL

A simplified version of the SSL connection establishment subprotocol.