ppt - CEENet HOME Page - Central and Eastern European Networking ...

Security in Next Generation Networks1

Fundamentals of Security in Fundamentals of Security in Next Generation NetworksNext Generation Networks

Igor Faynberg

Igor Faynberg, Security in NGN2

Outline Outline

Scope and purpose; NGN vs. the InternetIntroduction to general network security

issuesCryptography, digests, and digital

signaturesAuthentication protocolsCommunication security with application

examplesSocial issues


Scope and purposeScope and purpose

This tutorial is just – an introduction into a very large field– description of basic problems and general

review of the existing solutionsIt should help you decide

– whether you need to learn more– where to look for more information– what you need to do yourself and what you

can trust others to do for you


Next Generation Networks vs. Next Generation Networks vs. the Internetthe Internet

The Internet was designed and built by people who wanted a great tool; they had never thought (until 1989) that someone would think up Denial of Service (DOS)

The Internet was concerned with very few applications in mind (file transfer, e-mail)—no one even thought about e-commerce, VoIP, IPTV, etc. at the onset

As the result, the Internet security was put in reactively and… late

• NGN must support many new resource-intensive applications in networks that will connect mutually distrusting organizations

• It takes a small percentage of hostile mischief to do considerable damage

• The society and its major institutions will depend on the NGN security


NGN NGN Subsystem Architecture Subsystem Architecture OverviewOverview

Other MultimediaSubsystems …

Based on3GPP IMS R6

(RTSP-based)Streaming services

(SIP-based) IP Multimedia Subsystem

(Core IMS)

IP ConnectivityAccess NetworkAnd related subsystems

PS

TN

(SIP-I based)PSTN/ISDN Emulation

Subsystem

Applications

IP

Resource and Admission Control

Subsystem

Core Transport Network

Access TransportNetwork

GWGWGW

Network Attachment Subsystem

GW


Security may mean…Security may mean…

Limitation of data disclosurePrivacyAnonymous communicationsPrevention of changing data in transitLaw enforcement

– destruction of pirated content– tracking criminals– monitoring enemy’s communications


Basic Network Security IssuesBasic Network Security Issues Confidentiality

– Keeping information secret from unintended users Authentication

– Confirming the identity of the presenter of the information Authorization

– Determining whether a user may be given a resource Non-repudiation

– A property that no party that has signed a contract can later deny having signed it

Integrity– Ensuring that a message received was the one that was actually

sent

People had (more or less) learned how to deal with these issues in “normal” life. But how do we deal with them in the e-world?


ITU-T Recommendation X.805ITU-T Recommendation X.805Security Architecture—the foundation Security Architecture—the foundation

of NGN Security studiesof NGN Security studies

X.805_F3

Acc

ess

cont

rol

Infrastructure security

Services security

End-user planeControl plane

Management plane

THREATS

VULNERABILITIES

8 Security dimensions

ATTACKS

Dat

a co

nfid

enti

alit

y

Com

mu

nic

atio

n s

ecu

rity

Dat

a in

tegr

ity

Ava

ilab

ility

Pri

vacy

Au

then

tica

tion

Non

-rep

ud

iati

on Destruction

Disclosure

Corruption

Removal

Interruption

Security layersApplications security


An example: E-mail…An example: E-mail…

Can you send a message that is truly private?

Do you know who really sent you a message?

Can you be sure that the message you know was sent to you by a friend was not modified in transit?

Can you send a truly anonymous message?


Another example: Buying on-lineAnother example: Buying on-line

Can you be sure that the information you are supplying (including your credit card number and code—which proves your possession of the card) is not reached by a thief?

Can you be really sure that you are paying to the real merchant?

Can you buy anonymously? Can you deny the payment after receiving the

product (i.e., can the merchant prove that you have ordered the product)?


Ciphers

Ensuring Confidentiality, Integrity, Ensuring Confidentiality, Integrity, and Non-Repudation: Cryptography and Non-Repudation: Cryptography

(secret) (writing)

Certificates

Key Distributio

n

Symmetric-Key Algorithms

Public-Key Algorithms

Digital Signatures


Ciphers and CodesCiphers and Codes

Cipher: an atom-for-atom (e.g., character-for-character or bit-for-bit) transformation of the plaintext into ciphertext.

Code: replaces longer strings (e.g., words or sentences with symbols)


Basics of CryptographyBasics of Cryptography

All algorithms must be public; only the keys are secret. August Kerckhoff, 1883.


Intruders and CryptanalysisIntruders and Cryptanalysis

An intruder listens to all communications and it may copy or delete any message– An active intruder modifies some messages

and re-inserts them– A passive intruder just listens

To decrypt a message without having a key, an intruder practices the art of cryptanalysis


Classification of CiphersClassification of Ciphers

Substitution ciphers– Cesar’s cipher– Affine transformation ciphers

Transposition ciphersOne-time padBlock ciphersExponentiation ciphers

– RSA


Substitution CiphersSubstitution Ciphers Each symbol is replaced by another symbol (Example: with Latin alphabet, in monoalphabetic substituion, the key is a 26-letter string that represents the substituting permutation of the alphabet, so 26! keys are available)Case study: Caesar cipher (A -> D, B -> E, C->F, …Z->C ), or

ord (s) = [ord(s) + 3] mod 26.

Letters are packed in equal blocks to prevent cryptanalysis based on the word length


Case Study: Cesar’s CipherCase Study: Cesar’s Cipher

Plaintext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

Ciphertext: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

THIS MESSAGE IS TOP SECRET THISM ESSAG EISTO PSECR ET

19 7 8 18 12 | 4 18 18 0 6 | 4 8 18 19 14 | 15 18 4 2 17 | 4 19|

22 10 11 21 15 | 7 21 21 3 9 | 7 11 21 22 17 | 18 21 7 5 20 | 7 22

WKLVP HVVDJ HLVWR SVHFU HW


Affine Transformation Ciphers Affine Transformation Ciphers

Substitution ciphers are easy to break with a relatively small amount of ciphertext, using statistical properties of the language (frequency of letters, digrams, trigrams, etc.)

More general:

• C = P + k (mod 26) is a shift transformation cipher;

• C = aP + b (mod 26), where (a, 26) = 1, is an affine transformation cipher

• φ(26) = 12 choices for a, 26 choices for b, altogether 312 transformations•Inverse is computed as P = a’(C-b) (mod 26), where

aa’ ≡ 1 (mod 26)

Key: (a, b)


A Cryptanalysis Example A Cryptanalysis Example

Letter A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Frequency 7 1 3 4 13 3 2 3 8 <1 <1 4 3 8 7 3 <1 8 6 9 3 1 1 <1 2 <1

The frequencies of occurrence of letters in English text:

Letter A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Frequency 1 0 4 5 1 3 0 0 0 1 0 1 1 1 0 7 2 2 2 3 0 0 1 2 3 2

Analysis of the frequencies of occurrence of letters in the ciphertext:

Ciphertext: YFXMP CESPZ CJTDF DPQFW QZCPY NTASP CTYRX PDDLR PD

(Suppose, we know that shift transformation cipher was used)

Guess: P(7) = E(13) => 15 = 4 + k (mod 26) => k = 11.

Plaintext: NUMBE RTHEO RYISU SEFUL FOREN CIPHE RINGM ESSAG ES

(NUMBER THEORY IS USEFUL FOR ENCIPHERING MESSAGES)


Transposition CipherTransposition Cipher All symbols are reordered according to a permutation specified

by the key

Example: ILOVEY the key—must have no repeated symbols 2345 16 the relative order of each symbol in the key

LETUSM plaintext is written in rows of the key’s size EETTON IGHTXY the last row is padded 1 2 3 4 5 6 SOXLEIEEGTTHUTTMNY (ciphertext is written in columns permuted in

the order of key’s symbols)

Transposition ciphers can also be broken by guessing the key size and using statistical analysis when the cryptanalyst knows that it is a transposition cipher.


Any bit sequence the size of plaintext can be a key. Each bit of plaintext is XOR-ed with the corresponding bit of the key to produce a bit of the ciphertext

One-Time Pad CipherOne-Time Pad Cipher

011

100

10(XOR)+

EK DK=

)()( xyyxyx Plaintext: 001110011010010110

Key: 100100100111110110Ciphertext: 101010111101100000

Example:

One-time Pad is unbreakable; however key distribution is a big problem…

(Quantum cryptography may help!)


Block Ciphers (Affine Transformation)Block Ciphers (Affine Transformation)

Key:– A is a square integer matrix of order n such

that (|A|, 26) = 1– B is an n-vector of integers

The ciphertext is split into blocks of length n; the last block is padded

For each block P, compute C = (AP + B) (mod 26)


A Llittle Detour:A Llittle Detour: Three Facts of the Three Facts of the Elementary Number TheoryElementary Number Theory

Euler’s Theorem: If m > 0 and a and m are integers, such that (a, m) = 1, then

aφ(m) ≡ 1 (mod m).

Let a, b, and m be integers, m > 0 and (a, m) = d. If d | b, then the equation ax ≡ b (mod m) has exactly d incongruent solutions; otherwise, it has no solutions.

Fermat’s Little Theorem: If p is prime and a > 0 is an integer, which is indivisible by p, then ap-1 ≡ 1 (mod p).


Exponentiation CiphersExponentiation CiphersAfter Pohlig and Hellman, 1978: p is a prime The key, e > 0 satisfies: (e, p-1) = 1


00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

1. Group the resulting numbers into blocks of 2m decimal digits, where m is the largest even integer such that the decimal value of each block is less than p

2. For each plaintext block, P, compute a ciphertext block C = Pe(mod p)

3. To decipher, find d such that de ≡ 1 (mod p-1) and compute P = Cd(mod p)Cd ≡ Ped P ≡ Pk(p-1)+1 ≡ [P (p-1)]kP ≡ P (mod p) (By Fermat’s Little Theorem)


Exponentiation Ciphers: An ExampleExponentiation Ciphers: An Example p = 2633; the key e = 29; (e, p-1) = (29, 2632) = 1; Block length is 4 (m=2)


00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

THIS IS AN EXAMPLE OF AN EXPONENTIATION CIPHER

1907 0818 0818 0013 0423 0012 1511 0414 0500 1304 2315 1413 0413 1908 0019 0814 1302 0815 0704 1723

190729 ≡ 2199 (mod 2633)

2199 1745 1745 1206 2437 2425 1729 1619 0935 0960 1072 1541 1701 1553 0735 2064 1351 1794 1841 1459

d = 2269

2269*2622 ≡ 1 (mod 2622)

21992269 ≡ 1907 (mod 2633)


Exponentiation Ciphers—Major Exponentiation Ciphers—Major PropertiesProperties

For encryption each plaintext block P, we use O([ln p]3) operations. Ditto for decryption (including finding an inverse d of e module p-1)

Cryptanalysis cannot be done rapidly. To discover the key e (knowing the prime p) takes—to the best of the present knowledge—exp([ln p ln ln p]1/2 operations (The Discrete Algorithm Problem).

Special cases (when p-1 has only small prime factors) exist, where it is possible to compute the discrete algorithm in O(ln3 p); these have to be carefully avoided when choosing p.

If p has 100 decimal digits, finding logarithms module p requires about 74 years; if it has 200 digits, about 3800000000 years are required!


One Immediate Application: One Immediate Application: The Diffie-Hellman AlgorithmThe Diffie-Hellman Algorithm

Problem: Establish common keys (for symmetric cryptography) to be used by two individuals so that intruders cannot discover them in a feasible amount of computer time.

Let • p be a large prime• a be an integer relatively prime to p

These are known to all!

Pick k1 relatively prime to p-1

pypay k 11 0),(mod1


pypay k 22 0),(mod2

pKpapyK kkk 0),(mod)(mod 212

1pKpapyK kkk 0),(mod)(mod 121

2 =


A Simple Example of a DH A Simple Example of a DH ExchangeExchange

p =17a = 2

k1 = 3

8)17(mod8)(mod11 pay k

k2 = 5

15)17(mod32)(mod22 pay k

9)17(mod32768)(mod2

1 pyK k9)17(mod3375)(mod1

2 pyK k

=


The Diffie-Hellman Exchange among The Diffie-Hellman Exchange among n n partiesparties


These are known to all!

kn relatively prime to p-1

pypay ik

ii 0),(mod

k2 relatively prime to p-1

1...

,

,,,

),(mod)(mod

...

;),(mod)(mod

;),(mod)(mod

1

21

nkkk

i

kkkktstsi

kkkjij

ipapyY

tsipapyY

jipapyK

nii

nn

tsii

jii

Broadcast:

Compute and broadcast:

k1 relatively prime to p-1

Pick: Pick:

Pick:Compute:

nkkk ipapyK nii

n

),(mod)(mod 1

1

...


Fundamental Principles of Fundamental Principles of CryptographyCryptography

Redundancy– Ensure that the cipher space is larger than the

actual problem space in the plaintext (DOS!)

Freshness– Ensure that a receiver can establish that a

message is fresh (not a replay of another message)

ID (0-7) ID space (0-1024)

But don’t overdo it—ease of cryptanalysis!


Modern Modern SymmetricSymmetric-Key Algorithms-Key Algorithms

Combine transpositions and substitutions and cascade them to make the algorithms very complex (to prevent cryptanalysis even when large amounts of ciphertext are available)

Often use block ciphers

ED KK

4-bit transposition (T)

SS

SS

SST

S

T

S

T

Cascading into a product

4 to 2 encoder

2-bit substitution (S)

T

2 to 4 decoder


Some Common Symmetric-Key Some Common Symmetric-Key Cryptographic AlgorithmsCryptographic Algorithms

(after A. Tanenbaum)(after A. Tanenbaum)

Cipher Key size (bits) Characteristics

Rijndael 128-256 Best

Triple DES 168 Second best

Serpent, Twofish 128-256 Very strong

IDEA 128 Good (but patented)

RC5 128-256 Good (but patented)

RC4 1-2048 Some keys are weak

DES 56 Weak


Public-Key CryptographyPublic-Key Cryptography

A (public key, private key) pair– Publish the public key (= encryption key)– Keep the private key (= decryption key) secret

Two essential requirements:1) 2) It is very hard (i.e, computationally infeasible) to

obtain from – To send a message M to you, I send – You decrypt it, obtaining:

EK

DK

.))(( MMKK ED

IKK ED

DK EK);(MKE


RSA (Rivest, Shamir, Adleman)RSA (Rivest, Shamir, Adleman) Parameters: p, q, n, z, d, e

– Choose, large (1024 bits) primes: p, q– Compute n = pq, z = φ(n) = (p-1)(q-1)– Choose the exponent e relatively prime to z – Find d: ed ≡ 1(mod z)

Keys: public, (e, n); private, (d, n); Encryption and decryption:

– Brake the plaintext into largest equal even-digit blocks (P) shorter than n bits

– Encrypt each block P by computing C = E(P) ≡ Pe (mod n)

– Decrypt C by computing D(C) ≡ Cd (mod n) ≡ Ped (mod n) ≡ Pkφ(n)+1 (mod n) ≡

Pkφ(n) P(mod n) ≡ P(mod n)

Euler’s Theorem:

If n > 0 and e and d are integers, such that (a, m) = 1, then aφ(m) ≡ 1 (mod m).

The probability that P and n are not relatively prime is extremely low!


RSA: An ExampleRSA: An Example p = 43, q=59; n = 43*59 = 2357; φ(n) = 42*58 =2436 Exponent e = 13; (e, φ(n) ) = (13, 42*58) = 1; Block length is 4


00 01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25

PUBLIC KEY CRYPTOGRAPHY

1520 0111 0802 1004 2402 1724 1519 1406 1700 1507 2423

152013 ≡ 95 (mod 2537)

0095 1648 1410 1299 0811 2333 2132 0370 1185 1457 1084

937* 13 ≡ 1 (mod 2436)

0095937 ≡ 1520 (mod 2537)

d = 937

E(P) ≡ Pe (mod n)

P ≡ Cd (mod n)

Public key: (13, 2357)

Private key: (937, 2357)


Analysis of RSAAnalysis of RSA 100-digit primes p and q, the encryption

exponent e, and its inverse, d, can be found in a few minutes of computer time. Now, both keys are ready!

Modular exponentiation for encryption can be performed in a few seconds when the modulus, exponent, and base have as many as 200 digits

Decryption (private key operations) takes longer, in general

Any known method of finding d from e and n is based on factoring n

The security of RSA is based on the difficulty of factoring large integers


Properties of RSAProperties of RSA

The algorithm is secure because of the difficulty of factoring N. Factoring a 500-digit number should take 1025 years using a CPU with 1 microsecond instruction time

Encryption and decryption are inverse and commutative (an important property for digital signatures)

The algorithm is slow (compared to DES and other symmetric algorithms with much shorter keys)

RSA may be prohibitively slow when dealing with large blocks of data. It is typically used for one-time session key distribution for a symmetric-key algorithm (such as triple-DES)


Typical use of RSA for Key Distribution Typical use of RSA for Key Distribution in Symmetric Cryptography (hybrid in Symmetric Cryptography (hybrid

encryption)encryption)Sender randomly generates K, and sends:

Receiver

1. Decrypts K using the private key

2. Decrypts the message using DK

Plaintext encrypted with the symmetric-key algorithm EK

K, encrypted using RSA with the public key of the receiver

+


Other Public-Key AlgorithmsOther Public-Key Algorithms Knapsack (Merkle and Hellman, 1978)—based on NP-completeness of the Knapsack

problem– Was the first public-key algorithm, but is considered unsecure and not used

El Gamal (1985) is based on difficulties computing discrete algorithms– More computationally-intensive than RSA– Is totally unencumbered by copyright and patents

RSA– Users can have problems with proper generation of primes (some primes or pseudo-primes

may aid factoring)– not appropriate for use in situations where key generation occurs regularly – Patents expired

Elliptic-Curve Cryptography (ECC) (Miller and Koblits, 1985) hinges on the intractability of the discrete logarithm problem in the algebraic system defined on the elliptic curve points

– Uses smaller keys than RSA or El Gamal– Is significantly faster than RSA (for the same security) – Is patented


Digital Signatures and Non-Digital Signatures and Non-RepudiationRepudiation

Requirements– The receiver can verify the claimed identity of

the sender– The sender cannot repudiate the contents of

the message– The receiver cannot sign its own message with

someone else’s signatureThe implementations can be based both on

symmetric- and public-key signatures


Non-Repudiation with Non-Repudiation with Symmetric-KeySymmetric-Key Digital Digital SignaturesSignatures

A single third party (Central Authority, A) keeps everyone’s keys

A

X Y

E K(X)(M, Y, RX

, t)

EK(Y) [ M, X, R

X, t’, EK(A) (M, X, t)]

• K(X)—X’s key with A• M—the message from X to Y• Y—the receiver’s identity• RX — a random number• t, t’— timestamps

• K(Y)—Y’s key with A• K(A)—the key only A knows• X—the sender’s identity

Now X cannot deny having sent M to Y!


Non-Repudiation with Public-Key Digital Non-Repudiation with Public-Key Digital SignaturesSignatures

Works with any public key algorithm with the property E[D(P)] = P

(RSA is one of them, but there are others)

X Y

S=DPr(X) (M)

• Pu(Y)—Y’s public key• Pr(X)—X’s private key

No third party needed!

M=EPu(X)(S)


Non-Repudiation Non-Repudiation andand Confidentiality with Public-Key Confidentiality with Public-Key Digital SignaturesDigital Signatures

Again, use any public key algorithm with the property E[D(P)] = P

X Y

S= EPu(Y) [ DPr(X) (M)]

• Pu(X)—X’s public key• Pr(X)—X’s private key• Pu(Y)—Y’s public key• Pr(Y)—Y’s public key

No third party needed!

M= DPr(Y)[EPu(X)(S)]


Some Problems with Public-Key Some Problems with Public-Key Digital SignaturesDigital Signatures

If X discloses his or her private key (or claims that it was stolen), it can no longer be proven that X had sent the message

Ditto if X decides to change his or her keyThe scheme is an overkill (it is slow)

because it combines authentication with confidentiality

An improvement is needed!

(We will start by addressing the last item.)


One-Way Functions and One-Way Functions and DigestsDigests

Given an algorithm for computing f(x), it is easy to compute y = f(x) for any x

Given the value of y = f(x), it is hard (i.e., computationally infeasible) to compute x

Given x, it is hard to find t such that f(x)=f(t)– to meet this criterion, the hash should be at least 128 bits long

One-bit change to x produces a very different output, f(x)– to meet this criterion, the algorithm must toss the bits very thoroughly

—quite differently from what symmetric key algorithms do!

Computing and encrypting a message digest is much faster than encrypting the whole text!


Digital Signatures with Message Digital Signatures with Message Digest (non-repudiation)Digest (non-repudiation)

(a) D is the private key of the sender (b) The receiver uses the public key of the

sender to check the signature

(b)

The trick: Sign only the digest, not the whole message!


Two Popular Message Digest Two Popular Message Digest AlgorithmsAlgorithms

– Message Digest (MD5) (Rivest, 1992)Produces a 64-bit result supercedes the previous four MDs in a

series, but they are all “broken”

– Secure Hash Algorithm (SHA-1) produces a 160-bit resultIs standardized by NIST in FIPS 180-1Is on its way to replace MD5


The Birthday AttackThe Birthday Attack

Q: How many people need to be in a room before the probability of having there two people with the same birthday exceeds 1/2?

A: 23

More generally, in matching n inputs with k<n outputs, the probability of two inputs assigned to the same output, a match is likely for n=k1/2. And so, with MD5, one could generate 232 matches and probably get two with the same digest.


Back to Problems with Public-Key Back to Problems with Public-Key Digital SignaturesDigital Signatures

If X discloses his private key (or claims that it was stolen), it can no longer be proven that X had sent the message

Ditto if X decides to change his keyThe scheme is an overkill (it is slow) The scheme is an overkill (it is slow)

because it combines because it combines authentication authentication with with confidentialityconfidentiality

An improvement is needed! And then there is a basic problem: Where do I get your public key, and how can I trust the place I get it from?


Certificates (Public Key Distribution)Certificates (Public Key Distribution)

To use the public key signature scheme, the sender’s public key must be known

It could be published (on a web site, for example), but then it could also be altered

A common solution is to use certificates:– A sender attaches his or her (name, public key) pair,

digitally signed by the trusted third party —the Certification Authority (CA)

– Once the receiver obtained the public key of CA, the receiver can accept certificates from all senders who use this CA


A CertificateA Certificate

Presumably, your computer has been pre-loaded with the SuperCert public key, P so you can always

• Compute the SHA-1 digest D of the declaration part of the certificate

•Verify that D = P(signature)

There is nothing secret about certificates; they can be sent in the open

I, the SuperCert Certification Authority, am delighted to confirm that the public key A789FHAFFDEG8600FFA belongs to Igor FaynbergThe SHA-1 digest of the above, signed with the

SuperCert private key


A Different Use of a Certificate: A Different Use of a Certificate: Binding An Attribute to a KeyBinding An Attribute to a Key

I, the SuperCert Certification Authority, am delighted to confirm that person who owns the public key A789FHAFFDEG8600FFA is older than 21, and so you can legally sell him alcohol in New Jersey.The SHA-1 digest of the above, signed with the

SuperCert private key

An important feature: It preserves privacy!


Questions:Questions:

What are all the possible formats (of attributes and all), and who could possibly manage them?

How can one CA possibly manage all certificates, and which organization is it anyway?

And suppose everyone trusts this organization, but how could it preserve its single public key from being modified?


X.509: A standard for X.509: A standard for certificatescertificates

Contained in ITU-T Recommendation X.509


Public Key Infrastructure (PKI)Public Key Infrastructure (PKI)Schematic descriptionSchematic description

C A 1 .1S u p erC ert

C A 1 .2

R A 1 C A 1 .1 is ap p roved , K ey 5 F 2 A B ...C A 2 .1 is ap p roved K ey A 4 5 6 7 ...>

C A 2 .1

R A 2

C A 3 .1

R A 3

R oot R A 1 is ap p roved , K ey 7 6 F A B F F 8 A ...

R A 2 is ap p roved , K ey: 1 7 A F 6 5 4 ... R A 3 is ap p roved , K ey: 2 F A B C F F ...

RA: Regional Authority

CA: Certificate Authority

: Chain of trust

I, the SuperCert Certification Authority, am delighted to confirm the public key A789FHAFFDEG8600FFA belongs to Igor Faynberg

The SHA-1 digest of the above, signed with the SuperCert private key


More on PKIMore on PKI

There are many roots with their own trees. Modern browsers come pre-loaded with over 100 roots known as trust anchors– So, there is no single world-wide authority

Certificates can be stored at the user’s sites, but it would be more convenient (easier to look them up) to use the Domain Name System and store them at DNS sites

Certificates are timed, and they can also be revoked (CAs issue Certificate Revocation Lists [CRLs])


Symmetric Key Distribution:Symmetric Key Distribution:Diffie-HellmanDiffie-Hellman revisited revisited

Problem: Establish common keys (for symmetric cryptography) to be used by two individuals so that intruders cannot discover them in a feasible amount of computer time.



pypay k 11 0),(mod1


pypay k 22 0),(mod2



2 =


The Man-in-the-Middle AttackThe Man-in-the-Middle Attack

Establish K 1

Establish K2


Avoiding a Man in the Middle:Avoiding a Man in the Middle:Signed Signed Diffie-HellmanDiffie-Hellman






2

A B

pypay k 11 0),(mod1

pypay k 22 0),(mod2

Signed with A’s private key

Signed with B’s private key

He cannot sign!


Authentication ProtocolsAuthentication ProtocolsNeeded for the establishment of sessions (VoIP

conversations [streams and signaling], TCP sessions, etc.)

TextKerberos

Authentication with Public Key Cryptography

HMAC-based protocols

General Rules

Shared-key-based Protocols

KnownPitfalls

Key Distribution Centers

Challenge-Response


Introduction of the Key PlayersIntroduction of the Key Players

Alice

Bob

Trudy the Intruder


The General ModelThe General Model

Alice starts by sending a message to Bob or to a trusted Key Distribution Center (KDC)

An exchange followsTrudy may intercept, modify, or replay

any message


Challenge-Response ProtocolChallenge-Response Protocol(first attempt)(first attempt)

Alice BobA identity

RB Challenge: A nonce --a large random number, not to be repeated

KAB(RB ) Response, encrypted with the shared key

RA

KAB(RA )


Challenge-Response ProtocolChallenge-Response Protocol(Can we do this faster?)(Can we do this faster?)

Alice BobA, RA

RB, KAB(RA )

KAB(RB )

No!An improvement:3 instead of 5 messages!


The Reflection AttackThe Reflection Attack

TrudyBob

KAB(RB )

First

Session

A, RT

RB, KAB(RT )

A, RB

RB*, KAB(RB )

Second

Session


General RulesGeneral Rules

The initiator has to prove its identity before the responder

The initiator and responder must use different keys for proof (a need for two shared keys)

Initiator and responder must draw challenges from different sets (e.g., odd/even)

It must be impossible to use authentication information obtained in one session in a different one


But was the First Attempt Really But was the First Attempt Really Faultless?Faultless?

Alice BobA

RA

RB

KAB(RB )

KAB(RA )

A

KAB(RA )

TrudyAlice

B

RA

RA

KAB(RA )

RA*

RA*

KAB(RA* )KAB(RA* )

Now Trudy has two sessions with Alice!


A Few ConclusionsA Few Conclusions

The authentication protocols are hard… In the previous example, again the Rules were

violated There is a method of designing protocols of this

kind that are provably correct: R. Bird & al, Systematic Design of a Family of Attack-Resistant Authentication Protocols, IEEE Journal on Selected Areas in Communications, vol. 11, pp. 679-693, June 1993


Another Class of Protocols Another Class of Protocols That Work (HMAC)That Work (HMAC)

Hashed Message Authentication Code (HMAC), in general, is the hash (e.g., MD5 or SHA-1) of

(some data + shared key)

Alice Bob

RB , HMAC(RA, RB, A, B, KAB)

RA

HMAC(RA, RB, KAB)

Trudy does not know KAB, and so she cannot compute HMAC!


Key Distribution Centers Key Distribution Centers (KDCs)(KDCs)

If a process needs to talk to n other processes, it will need to share n keys. As n grows, key management becomes a burden…

Another approach: Each user has a key shared with KDC, and all authentication and session key management go through KDC


Authentication with the Key Distribution Authentication with the Key Distribution Center Center

(First attempt)(First attempt)

I want to use the key K to talk to Bob

A, KA (B, K)

K B(A, K)

Authentication happens automatically:

•KDC knows it is Alice (because of the shared key)

•Bob knows that the message came from KDC (for the same reason)

But there is a big problem here!


The Replay AttackThe Replay Attack

Trudy is working for Alice. She knows that today at noon she will transfer her salary into her bank account in Bob’s bank

A, KA(B, K)

KB(A, K)

K(“Transfer $20,000 to Trudy”)

12:00

12:15

KB(A, K)K(“Transfer $20,000 to Trudy”)


Solutions to Replay Attack (for KDC Solutions to Replay Attack (for KDC Protocols)Protocols)

Include a timestamp in each message– Problem: Clocks are not exactly synchronized over the

network; the differences can be used to sneak a replay Put a nonce in each message

– Problem: Each party has to remember all previous nonces forever

Combine timestamps with nonces (so as to remember nonces only for maximum misaligned time periods)– Problem: The protocol will become too complex…

Use a multiway challenge-response protocol


The Needham-Schroeder The Needham-Schroeder Authentication Protocol (1978)Authentication Protocol (1978)

(After A. Tanenbaum)

But it still has a weakness (possible replay of 3 if plaintext of a previous session is found)!


The Otway-Rees Authentication The Otway-Rees Authentication Protocol (1987)Protocol (1987)

This protocol fixes the problem with Needham-Shroeder more elegantly than Needham and Shroeder did (also in 1987)



A Few Notes on KDC IssuesA Few Notes on KDC Issues

KDCs can support hundreds of clients but not millions (scalability)

There is not a single KDC whom all other KDCs trust

There is no standard for inter-KDC communications for cross-realm authentication


Authentication with KerberosAuthentication with Kerberos

Kerberos was designed in MIT, and it is based on a variant of Needham-Shroeder– Kerberos V.4 is widely used (for example, in

Microsoft Windows 2000)– Kerberos V.5 is being deployed

Kerberos assumes that all clocks are synchronized

Kerberos modifies the KDC model


The Kerberos Model: Three The Kerberos Model: Three ServersServers

Authentication Server (AS)– Authenticates users during the login session– Shares a secret (password) with every user

Ticket-Granting Server (TGS)– Issues proof-of-identity tickets, which convince other

servers that the owners of the tickets are who they claim to be

The real-work server– Does the real work (performs services such as

banking transactions, telephone calls, etc.)


Operation of Kerberos (V4) ASOperation of Kerberos (V4) AS

ASKA(KS, KTGS[A, KS])

A

plaintext

Session key To pass to TGS

At this point,

1) Alice is prompted for a password by the client, and this password is used for generating KA, so she obtains the session key and the the ticket for TGS2) The client overwrites the password3) Alice says she wants to use Bob’s services


Operation of Kerberos (V4) TGSOperation of Kerberos (V4) TGS

TGS

Now Alice can start talking to the real-work server—Bob

KTGS(A, KS), B, KS (t)

TGS’s secret key

Encrypted timestamp (so that Trudy could not replay the message with a younger timestamp)

KS(B, KAB), KB(A, KAB)

Session key for talking to Bob Ticket to Bob


Operation of Kerberos (V4) ServerOperation of Kerberos (V4) Server

Server

KAB(t+1)

Timestamped proof of Bob’s identity (Trudy could not do that!)

Now Alice can work with Bob, but if she needs to change to another real-work server, she just restarts with the request to TGS (no passwords are ever transmitted)

Encrypted timestamp

KB(A, KAB), B, KAB (t)

Ticket to Bob


AS

TGS

Servers

Kerberos RealmsKerberos Realms

AS

TGS

Servers One can ask TGS for a ticket to a server in another realm


Authentication with Public Key Authentication with Public Key Cryptography: A Naïve “Solution”Cryptography: A Naïve “Solution”

A

R

PrA(R)

…R = “I, undersigned Alice, owe Trudy $100,000”or

R=encrypted message from Bob


Authentication with Public Key Authentication with Public Key CryptographyCryptography

PKI Directory

Bob’s

Public

Key

?

E B

EB (A, RA)

Alice’s Public Key?E

A

Proof of freshness and Bob’s identity

EA (RA, RB, KS)

KS (RB)


Communication Security Overview Communication Security Overview

TextS/MIME

TSL/SSLDNSsec

Secure File Systems

Mobile code security

FirewallsPGPIPsec/VPNs


Network Security in the Protocol Network Security in the Protocol StackStack

Application Layer

Presentation Layer

Session Layer

Transport Layer

Network Layer: firewalls help with limited success

Link Layer: nothing needs to be done, if it is really point-to-point; otherwise, use link encryptionPhysical Layer: Prevent wiretapping by enclosing transmission lines in sealed tubes containing argon at high pressure monitored by an alarm

Encrypt the whole session

Application-specific protocols


Two Views in the Internet CampTwo Views in the Internet Camp

Security must be end-to-end, and for this reason alone must be implemented in the Application Layer (which will make plaintext unavailable to operating systems)

Problem: Then all applications must be re-written and… how many people really understand security to rewrite them?

Security must be implemented in the Network Layer without users ever approaching it!

Problem: Even though this view has prevailed, a truly network-layer implementation proved to be impossible, and Internet principles had to be violated.


IP Security Protocol (IP Security Protocol (IPsecIPsec))

IPsec is a framework for multiple Services

– confidentiality, integrity, protection from replay—among the major ones

Algorithms– to make it algorithm-independent (and there is a Null

algorithm) Granularities

– from a single TCP connection to an aggregate

IPsec is… connection-oriented!


Security Association (SA)Security Association (SA)

SA is a simplex connection identified by Security Parameters Index (SPI) carried by all packets

SA is needed because – a key must be used for some period of time—

the duration of the connection– the set up time is amortized among many

packets


Establishing an SAEstablishing an SA

This involves– Authenticating both ends– Establishing the key– Agreeing on cryptographic algorithms– Initializing the sequence number (which will

run through the life of the association)– Establishing SPI


Two Parts of Two Parts of IPsecIPsec

The Internet Security Association and Key Management Protocol (ISAKMP) deals with establishing symmetric keys– The main protocol is called Internet Key Exchange

(IKE). It has problems, and it is being replaced by IKE2

The other part deals with the headers defined for the two modes of IPsec operation– Transport mode and– Tunnel mode


Transport- and Tunnel ModesTransport- and Tunnel Modes

Transport mode

IP header IPsec header IP payload

Via the Protocol field

Tunnel mode

IP packetNew IP header

Useful for 1) terminating at other than end-user locations (e.g., firewalls) and 2) aggregation to prevent traffic analysis


Two (Historical) HeadersTwo (Historical) Headers

The Authentication Header (AH) deals only with integrity checking but not confidentiality; hashed message authentication code (HMAC) integrity check covers only immutable IP fields (not TTL)

The Encapsulating Security Payload (ESP) supports both HMAC integrity and full confidentiality. In a way, it makes AH superfluous


Authentication Header (AH)Authentication Header (AH) (IPv4 Transport Mode) (IPv4 Transport Mode)

Stores the value that IP Protocol field had

Number of 32-bit words in AH minus 2

The “virtual circuit number” associated with the shared key

Runs for the life of the SA

Payload + key, signed



Encapsulating Security Payload Encapsulating Security Payload (ESP) Header(ESP) Header

Transport mode

Tunnel Mode

32 bits

Security Parameters IndexSequence Number

Initialization vectorfor encryption

Trails to help hardware run all bits through before the calculation



Virtual Private Networks (VPNs)Virtual Private Networks (VPNs)


Before After


FirewallsFirewalls

While IPsec protects the data in transit, it does nothing to keep bad bits out

Firewalls are supposed to do that. The combine– An outgoing layer 3 packet filter– An incoming layer 3 packet filter– An application gateway to carefully check

(wherever possible) application data


Firewalls (cont.)Firewalls (cont.)


What Firewalls Cannot DoWhat Firewalls Cannot Do

Deal with encrypted traffic or examine and restrict graphic (or video or .wav) content

Prevent attacks from inside (and this is 70% of all attacks!)

Prevent the Denial of Service (DoS) attacks—especially the Distributed DoS, from several different sources

Interwork well with real-time multimedia services (VoIP including) because of the dynamic port allocation by the Real Time Transport Protocol (RTP)


E-Mail SecurityE-Mail Security

There are two systems:Pretty Good Privacy (PGP)

andSecure Multipurpose Internet

Mail Extensions (S/MIME)


PGPPGP

Uses International Data Encryption Algorithm (IDEA) with 128-bit keys

Is a one-man (Phil Zimmermann) show Has an interesting history (Zimmerman had been

investigated for five years for “exporting munition”)

Supports text compression, confidentiality, digital signatures

Provides extensive key management facilities Takes plaintext as input and produces a base64-

encoded ASCII string as output


How PGP WorksHow PGP WorksBased on random input from Alice



A PGP MessageA PGP Message

After A. Tanenbaum


S/MIMES/MIME

Is similar to but more structured than PGPUses triple-DES rather than IDEAUses X.509 certification for keysAllows multiple trust anchorsReplaces an earlier IETF standard called

Privacy Enhanced Mail (PEM), which had specified a rigid certification system with one anchor. No one used it.


Web Security IssuesWeb Security Issues

1. Secure Naming2. Secure Connections3. Secure mobile code


Secure Naming: ThreatsSecure Naming: Threats

www.bob.com

42.9.9.936.1.2.3

DNS Server

www.bob.com: 36.1.2.3 42.9.9.9

Poisoned Cache


Secure DNS (DNSsec)Secure DNS (DNSsec)

All information sent by a DNS server is signed with the originating zone’s private key (proof of origin)

Both requests and transactions are authenticated making spoofing and replay impossible

DNSsec relies on PKI for key distribution


Secure Sockets Layer (SSL)Secure Sockets Layer (SSL)

Was first developed in 1995 by Nestcape and now widely used everywhere

Builds a secure connection between two sockets (application process’ endpoints)– Parameter negotiation between client and server– Mutual authentication– Confidentiality– Data integrity protection

Has evolved into the IETF Transport Layer Security TSL standard (which is stronger than SSL but has not been yet deployed)


Position of the SSL/TSL in the Position of the SSL/TSL in the OSI Reference ArchitectureOSI Reference Architecture

Application Layer HTTPS (no change to HTTP!)

Presentation Layer

Session Layer

Transport Layer

Network Layer

Link Layer

Physical Layer

SSL/TSL


SSL/TSL Connection EstablishmentSSL/TSL Connection Establishment

SSL version, preferences (cryptographic

algorithms, compression), nonce RClient

SSL version, choices, nonce RServer

Certificate with Public key EServer, X.509 trust chain

Eserver(384 bit pre-master key—randomly chosen)

Compute session key

KS(Eserver, Rclient , RServer)

Compute session key

KS(Eserver, Rclient , RServer)

End

ACK

Client

Server


The Rest of the SSL/TSL SessionThe Rest of the SSL/TSL Session

Unit 1 Unit 2 … Unit n

Unit 1

Compression (if agreed on)

Unit 1

?#@18*99&^%$

Everything is encrypted using KS

?#@18*99&^%$Header

Transport header is attached

HMAC is added (KS and pre-master key are concatenated with the unit, and the result is hashed)

Unit 1


Mobile CodeMobile Code

Java applets, ActiveX controls, and JavaScripts present a massive security risk

How are they handled?– Sandboxes for not trusted Java applets– Digital signatures accompanying ActiveX

controls. An extremely dangerous technique proven to have a disastrous potential!

– Nothing for JavaScripts (remain very dangerous)


Social IssuesSocial Issues

PrivacyFreedom of speechCopyrightCovert communications

(steganography)Use of steganography to protect

copyright


PrivacyPrivacy The Fourth Amendment to the US Constitution

prohibits searching people’s houses, papers, and effects without a search warrant

Strong cryptography (like PGP’s) provides privacy to every user, including criminals, spies, and terrorists—so their correspondence cannot be perlustrated even in place of search warrants

Lawful intercept is an essential self-protection task of every state, however

Many countries (e.g., France up to 1999) used to forbid the encryption unless all cryptographic keys are placed in escrow with their governments


E-mail privacy (Anonymous Re-E-mail privacy (Anonymous Re-mailers)mailers)

Initially, the anonymous Type 1 re-mailers kept the trace of correspondents. Consequently, under the order of a court, an anonymous re-mailer had to disclose the true identity of a sender who was sued

The new re-mailers (cyberpunk re-mailers) are not supposed to keep any trace of anything


How Re-mailers WorkHow Re-mailers Work

ES ( To: Bob

Message )

To: S.address

Public Key ES

SS

From: AnonymTo: BobMessage


Chaining Re-mailers Chaining Re-mailers

Public Key E3

SS3)

E3 ( To: Bob

Message )

To: S3.address

E2

(

)

E1

( To: S2.address

From: Alice

To: S1.address

Public Key E1

SS1

Public Key E2

SS2

E3 ( To: Bob

Message )

To: S3.address

E2

(

)

To: S2.address

From: Anonym

To: BobMessage

E3 (To: Bob

Message )

To: S3.address


Re-mailers Protect Anonymity, Re-mailers Protect Anonymity, but…but…

They aid –Mail spam and

–Phishing

By the way, not only e-mail servers provide anonymity; there are also HTTP anonymizers


Freedom of SpeechFreedom of Speech

Censorhip is its opposite Materials that a government may choose to ban

from web sites include pornography, hate, manuals for building weapons, etc.

But a particular server may reside in a country that does not restrict specific materials that are banned by another country

Since the prosecuting country often has no jurisdiction in such cases, little can be enforced

The Internet, in general, opposes any censorship


SteganographySteganography((στεγανω γραφ: στεγανω γραφ: covered covered writing)writing)

The color image uses 1024 * 769 picture cells (pixels)

Each pixel consists of three 8-bit numbers (RGB): {red intensity, green intensity, blue intensity}

Stealing one bit from each color (7-bit color is practically undistinguishable from 8-bit color), one gets 1024*769*3/8 = 294,912 bytes to store secret information (which can also be compressed and encrypted)

It is even simpler with black-and-white photography


SteganographySteganography

http://www.jjtc.com/Security/stegtools.htmhttp://www.spychecker.com/program/stool

s.htmlUsing S-tools (Steganography tools for

Windows) by A. Brown

Steganography also works with digital audio (e.g., .wav) files


Steganography DemoSteganography Demo

M. A. Bulgakov M. A. Bulgakov and an excerpt from a draft of “Master and Margarita”


CopyrightCopyright Copyright is the granting to the creators of

intellectual property—writers, artists, composers, etc.—the exclusive right to exploit it

Many on the Internet have been violating copyright by making copyrighted material available to others

Lawmakers, lawyers, and various industries are very busy balancing the economic interests of copyright owners and the public

Steganography provides an excellent watermarking tool that allows to enforce prosecution of certain violations (e.g., plagiarism)


Limited BibliographyLimited Bibliography

K. H. Rosen, Elementary Number Theory and Its Application, 3rd Edition, Addison Wesley, 1993

A. Tanenbaum, Computer Networks, 4th Edition, Prentice Hall, 2003

C. Kaufman, R. Perlman, and M. Speciner, Network Security, 2nd Edition, Prentice Hall, 2003

www.ietf.org www.itu.int (Go to the SG 17 site for security; SG

13 and FG NGN, for NGN) www.iso.org (Look for ISO/IEC JTC1 SC 27)

ppt - CEENet HOME Page - Central and Eastern European Networking ...

Technology

internet security

fundamentals of security

anonymous message

information secret

ashift transformation

caesar cipher

codes cipher

internet introduction