Top Banner
Network Security Network Security Sorina Sorina Persa Persa Group 3250 Group 3250
29

Network Security Sorina Persa Group 3250 Group 3250.

Dec 23, 2015

Download

Documents

Cody Bates
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Page 1: Network Security Sorina Persa Group 3250 Group 3250.

Network SecurityNetwork Security

Sorina Sorina PersaPersa

Group 3250Group 3250

Page 2: Network Security Sorina Persa Group 3250 Group 3250.

OverviewOverview

Security servicesSecurity services Security threatsSecurity threats EncryptionEncryption Conventional encryptionConventional encryption Conventional encryption algorithmsConventional encryption algorithms Public key encryptionPublic key encryption Public key encryption algorithmsPublic key encryption algorithms Message authenticationMessage authentication IPv4 and IPv6 securityIPv4 and IPv6 security

Page 3: Network Security Sorina Persa Group 3250 Group 3250.

Security ServicesSecurity Services

ConfidentialityConfidentiality IntegrityIntegrity AuthenticationAuthentication Access controlAccess control Non-repudiationNon-repudiation AvailabilityAvailability

Page 4: Network Security Sorina Persa Group 3250 Group 3250.

Security threatsSecurity threatsInformation source

Information destination

a) Normal flow

b) Interruption c) Interception

d) Modification e) Fabrication

Page 5: Network Security Sorina Persa Group 3250 Group 3250.

Security threatsSecurity threats

Interruption – attack on availabilityInterruption – attack on availability Interception – attack on Interception – attack on

confidentialityconfidentiality Modification – attack on integrityModification – attack on integrity Fabrication – attack on authenticityFabrication – attack on authenticity

Page 6: Network Security Sorina Persa Group 3250 Group 3250.

Security threatsSecurity threats Passive attacks – eavesdropping on or Passive attacks – eavesdropping on or

monitoring of transmissionsmonitoring of transmissions Release of message contentsRelease of message contents Traffic analysisTraffic analysis

Active attacks – modification of the data Active attacks – modification of the data stream or creation of a false streamstream or creation of a false stream MasqueradeMasquerade ReplayReplay Modification of messageModification of message Denial of serviceDenial of service

Page 7: Network Security Sorina Persa Group 3250 Group 3250.

EncryptionEncryption

Encryption = the tool used for Encryption = the tool used for network and communication securitynetwork and communication security

It protects against passive attacksIt protects against passive attacks

Types:Types: Conventional encryptionConventional encryption Public-key encryptionPublic-key encryption Hybrid of the precedent onesHybrid of the precedent ones

Page 8: Network Security Sorina Persa Group 3250 Group 3250.

Conventional EncryptionConventional Encryption

Two parties share a single Two parties share a single encryption/decryption keyencryption/decryption key

Encryption algorithm(e.g. DES)

Decryption algorithm

Plaintext input

Secret key Secret key

Plaintext output

Transmittedciphertext

Page 9: Network Security Sorina Persa Group 3250 Group 3250.

Conventional Conventional encryptionencryption

Approaches to attacking a Approaches to attacking a conventional encryption scheme:conventional encryption scheme: Cryptanalysis – relies on the nature of the Cryptanalysis – relies on the nature of the

algorithms and some plaintext-ciphertext algorithms and some plaintext-ciphertext pairspairs

Brute-force attacks – try every possible keyBrute-force attacks – try every possible key

Time for key searchTime for key search

Key size (bits)

Number of alternative keys

Time required at1 encryption/sec

Time required at106 encryptions/sec

32 232 = 4.3x109 231 sec = 35.8 mins 2.15 millisecs56 256 = 7.2x1016 1142 years 10.01 hours128 3.4x1038 5.4x1024 years 5.4x1018 years

Page 10: Network Security Sorina Persa Group 3250 Group 3250.

Conventional encryption Conventional encryption algorithmsalgorithms

Block ciphers – process the plaintext Block ciphers – process the plaintext input in fixed-size blocks and input in fixed-size blocks and produce a block of ciphertext of produce a block of ciphertext of equal size for each plaintext blockequal size for each plaintext block

It is symmetricIt is symmetric DES (Data encryption standard)DES (Data encryption standard)

DEA (Data encryption algorithm)DEA (Data encryption algorithm) TDEA (Triple data encryption algorithm)TDEA (Triple data encryption algorithm)

AES (Advanced encryption standard)AES (Advanced encryption standard)

Page 11: Network Security Sorina Persa Group 3250 Group 3250.

DEADEA DES was developed by NISTDES was developed by NIST DEA key size is 56 bits and the blocks are of 64 bitsDEA key size is 56 bits and the blocks are of 64 bits Since 1977, every 5 years, NIST approved DES for useSince 1977, every 5 years, NIST approved DES for use In 1997, NIST solicited a new secret key algorithm In 1997, NIST solicited a new secret key algorithm

called Advanced Encryption Standard (it uses 128-bit called Advanced Encryption Standard (it uses 128-bit block size and a key length of minimum 128 bits)block size and a key length of minimum 128 bits)

In 1998 EFF (Electronic Frontier Foundation) In 1998 EFF (Electronic Frontier Foundation) announced that it had broken DESannounced that it had broken DES

In October 2000, successor to DES was selected and it In October 2000, successor to DES was selected and it was called Rijndaelwas called Rijndael

Double and triple DES is also commonDouble and triple DES is also common Triple DEA uses 3 keys and 3 executions of DEA:Triple DEA uses 3 keys and 3 executions of DEA: C = EC = Ek3k3[D[Dk2k2[E[Ek1k1[P]]][P]]] Its key length is of 168 bitsIts key length is of 168 bits

Page 12: Network Security Sorina Persa Group 3250 Group 3250.

Location of encryption Location of encryption devicesdevices

Link encryptionLink encryption Decrypt each packet Decrypt each packet

at every switchat every switch End-to-end End-to-end

encryption encryption the source encrypts the source encrypts

and the destination and the destination decryptsdecrypts

HybridHybrid Both link and end-Both link and end-

to-end are neededto-end are needed High securityHigh security

Page 13: Network Security Sorina Persa Group 3250 Group 3250.

Key distributionKey distributionFor encryption to work over a network, the twoFor encryption to work over a network, the twoparties (sender and receiver) must exchange andparties (sender and receiver) must exchange andshare the same keys, while protecting access to share the same keys, while protecting access to

thethekeys from others.keys from others. A key could be selected by A and physically A key could be selected by A and physically

distributed to Bdistributed to B A third party could select the key and physically A third party could select the key and physically

deliver it to A and B.deliver it to A and B. If A and B have previously and recently used a key, If A and B have previously and recently used a key,

one party could transmit the new key to the other, one party could transmit the new key to the other, encrypted using the old keyencrypted using the old key

If A and B could have an encrypted connection to a If A and B could have an encrypted connection to a third party C, C could deliver a key on the encrypted third party C, C could deliver a key on the encrypted link to A and Blink to A and B

Page 14: Network Security Sorina Persa Group 3250 Group 3250.

Public key encryptionPublic key encryption Public key algorithms are based on Public key algorithms are based on

mathematical function rather than on mathematical function rather than on simple operations on bit patternssimple operations on bit patterns

Public key cryptography is asymmetric, Public key cryptography is asymmetric, involving the use of two separate keysinvolving the use of two separate keys

The key ingredients are similar to that of The key ingredients are similar to that of conventional secret key algorithms, conventional secret key algorithms, except that there are two keys – a public except that there are two keys – a public key and a private key used as input to the key and a private key used as input to the encryption and the decryption algorithmencryption and the decryption algorithm

Page 15: Network Security Sorina Persa Group 3250 Group 3250.

Public key encryptionPublic key encryption

Encryption algorithm(e.g. RSA)

Decryption algorithm

Plaintext input

Destination’s public key

Destination’s private key

Plaintext output

Transmittedciphertext

Page 16: Network Security Sorina Persa Group 3250 Group 3250.

Public key encryptionPublic key encryption Steps:Steps:

Generation of a pair of keys to be used Generation of a pair of keys to be used for encryption and decryption of messagefor encryption and decryption of message

Placing one of the keys in a public Placing one of the keys in a public register and maintaining a collection of register and maintaining a collection of public keys from the other userspublic keys from the other users

Encrypting the message with the Encrypting the message with the destination’s public keydestination’s public key

When the destination receives the When the destination receives the message, it decrypts it with the private message, it decrypts it with the private keykey

Page 17: Network Security Sorina Persa Group 3250 Group 3250.

Digital signatureDigital signature

Encryption algorithm(e.g. RSA)

Decryption algorithm

Plaintext input

Source’s private key

Source’s public key

Plaintext output

Transmittedciphertext

Safe from alteration but not safe from eavesdropping

Page 18: Network Security Sorina Persa Group 3250 Group 3250.

Public key encryption Public key encryption algorithmsalgorithms

RSA – invented in 1973 by three MIT RSA – invented in 1973 by three MIT professorsprofessors

In contrast to DES, RSA uses sophisticated In contrast to DES, RSA uses sophisticated mathematics instead of simple manipulation mathematics instead of simple manipulation and substitutionand substitution

Mostly 1024 bit keys are usedMostly 1024 bit keys are used Public key encryption and decryption using Public key encryption and decryption using

RSA is 1000 times slower than secret key RSA is 1000 times slower than secret key methods using DESmethods using DES

DSA (Digital signature algorithm) – used for DSA (Digital signature algorithm) – used for digital signaturesdigital signatures

DSA was proposed by NISTDSA was proposed by NIST

Page 19: Network Security Sorina Persa Group 3250 Group 3250.

Hybrid of Conventional and Hybrid of Conventional and Public key encryptionPublic key encryption

A encrypts the message using A encrypts the message using conventional encryption with a one-conventional encryption with a one-time conventional session keytime conventional session key

A encrypts the session key using A encrypts the session key using public key encryption with B’s public public key encryption with B’s public keykey

Attach the encrypted session key to Attach the encrypted session key to the message and send it to Bthe message and send it to B

Page 20: Network Security Sorina Persa Group 3250 Group 3250.

Message Authentication Message Authentication and Hash functionand Hash function

It protects against active attacksIt protects against active attacks It proves that the message has not It proves that the message has not

been altered and that the source is been altered and that the source is authenticauthentic

MAC (Message Authentication Code)MAC (Message Authentication Code)M

MAC algo MAC

K

M M MAC algo

Compare

K

Page 21: Network Security Sorina Persa Group 3250 Group 3250.

One-way Hash FunctionOne-way Hash Function

It accepts a variable-size message M It accepts a variable-size message M as input and produces a fixed-size as input and produces a fixed-size message digest H(M) as outputmessage digest H(M) as output

H(M) is sent with the messageH(M) is sent with the message It does not take a secret key as inputIt does not take a secret key as input The message digest can be encrypted The message digest can be encrypted

using using Conventional encryptionConventional encryption Public-key encryptionPublic-key encryption Secret valueSecret value

Page 22: Network Security Sorina Persa Group 3250 Group 3250.

Message digest Message digest encrypted using encrypted using

conventional encryptionconventional encryption

M

H

E

M M H

Compare

D

K K

Page 23: Network Security Sorina Persa Group 3250 Group 3250.

Message digest Message digest encrypted using public-encrypted using public-

key encryptionkey encryption

M

H

E

M M H

Compare

D

Kprivate Kpublic

Page 24: Network Security Sorina Persa Group 3250 Group 3250.

Message digest Message digest encrypted using secret encrypted using secret

valuevalue

M

H

M M H

Compare

Page 25: Network Security Sorina Persa Group 3250 Group 3250.

Secure Hash FunctionSecure Hash Function Requirements:Requirements:

H can be applied to a block of data of any sizeH can be applied to a block of data of any size H produces a fixed-length outputH produces a fixed-length output H(H(xx) is easy to compute for every ) is easy to compute for every xx For any given code For any given code hh, it is computationally , it is computationally

infeasible to find infeasible to find x x such that H(such that H(xx)=)=hh For any given block For any given block x, x, it is computationally it is computationally

infeasible to find infeasible to find yy!=!=x x with H(with H(yy)=H()=H(xx)) It is computationally infeasible to find any pair It is computationally infeasible to find any pair

(x,y) (x,y) s.t. H(s.t. H(xx)=H()=H(yy)) One of the most important hash function is One of the most important hash function is

SHA-1 (every bit of the hash code is a SHA-1 (every bit of the hash code is a function of every bit in the input)function of every bit in the input)

Page 26: Network Security Sorina Persa Group 3250 Group 3250.

IPv4 and IPv6 securityIPv4 and IPv6 security Need to secure the network infrastructure Need to secure the network infrastructure

against unauthorized monitoring and against unauthorized monitoring and control of network traffic and the need to control of network traffic and the need to secure end-user-to-end-user traffic using secure end-user-to-end-user traffic using authentication and encryption mechanismsauthentication and encryption mechanisms

In response, IAB included authentication and In response, IAB included authentication and encryption as necessary security features in encryption as necessary security features in IPv6IPv6

IPSec provides the capability to secure IPSec provides the capability to secure communication across a LAN, across private communication across a LAN, across private and public WANs and across the Internetand public WANs and across the Internet

The principal feature of IPSec: it can encrypt The principal feature of IPSec: it can encrypt and/or authenticate and/or authenticate allall traffic at the IP level traffic at the IP level

Page 27: Network Security Sorina Persa Group 3250 Group 3250.

IPv4 and IPv6 securityIPv4 and IPv6 security

IPSec’s main facilities:IPSec’s main facilities: AH (Authentication Header) – an authentication-AH (Authentication Header) – an authentication-

only functiononly function Provides support for data integrity and authentication of Provides support for data integrity and authentication of

IP packetsIP packets ESP (Encapsulating Security Payload) – a ESP (Encapsulating Security Payload) – a

combined authentication/encryption functioncombined authentication/encryption function Provides confidentiality services, including Provides confidentiality services, including

confidentiality of message contents and limited traffic confidentiality of message contents and limited traffic flow confidentialityflow confidentiality

A key exchange functionA key exchange function Manual key managementManual key management Automated key managementAutomated key management

Page 28: Network Security Sorina Persa Group 3250 Group 3250.

Security associationSecurity association

It is a one-way relationship between a It is a one-way relationship between a sender and a receiver that affords sender and a receiver that affords security services to the traffic carried security services to the traffic carried on iton it

It can be identified by:It can be identified by: SPI (Security parameters index)SPI (Security parameters index) IP destination address: only unicast IP destination address: only unicast

addresses are allowedaddresses are allowed Security protocol identifier: AH or ESP SASecurity protocol identifier: AH or ESP SA

Page 29: Network Security Sorina Persa Group 3250 Group 3250.

IPv4 and IPv6 securityIPv4 and IPv6 security AH and ESP support two modes of use:AH and ESP support two modes of use:

Transport modeTransport mode Provides protection primarily for upper-layer Provides protection primarily for upper-layer

protocolsprotocols Provides protection to the payload of an IP packetProvides protection to the payload of an IP packet Typically used for end-to-end communication Typically used for end-to-end communication

between hostsbetween hosts Tunnel modeTunnel mode

Provides protection to the entire IP packetProvides protection to the entire IP packet Used when one or both ends of an SA is a security Used when one or both ends of an SA is a security

gateway, such as a firewall or router that gateway, such as a firewall or router that implements IPSecimplements IPSec