الرحيم الرحمن الله بسم
NETWORK SECURITY
Done By:
Saad Al-Shahrani Saeed Al-Smazarkah
May 2006
Network Security Goals
Confidentiality or Privacy: Only sender, intended receiver should ”understand” message contents
o Sender encrypts messageo Receiver decrypts message
Authentication: Sender, receiver want to confirm identity of each other
Integrity: Sender, receiver want to ensure messages are not altered during transmission without detection
Access and Availability: Services must be accessible and available to users
People want to communicate securely
• Eve (intruder/eavesdropper): may intercept, delete, add messages
There are Eavesdroppers out there!
Q: what can an eavesdropper do?A: a lot!
o Observing and recording information
o Unauthorized access to a server
o Denial of service: prevent service from being used by others (e.g. by Flooding a server with requests)
o Impersonating a legitimate server
o Hijacking: “take over” ongoing connection by removing sender or receiver, inserting himself in place
Network Security: Agenda
o Main weapon: cryptography Confidentiality (encryption) Message authentication Signatures and Certificates
o Internet Threats, Attacks and Defenses Secure request/ response protocols Secure connection ‘tunnels’ Denial of Service attacks Firewalls
Encryption Protects Confidentiality
Secret Key crypto: Shared secret key (KE,B=KD,B) Public key crypto: A user has a public encryption
key KE,B and a matching private decryption key KD,B
Secret Key Crypto
Two operations (“encrypt”, “decrypt”) which are inverses of each other. Like multiplication/division
One parameter (“the key”) Even the person who designed the algorithm
can’t break it without the key Ideally, a different key for each pair of users
Secret key crypto
encrypt= f(K, plaintext)=ciphertext decrypt= f(K, ciphertext)=plaintext authentication: send f(K, challenge) integrity check: f(K, msg)=X verify integrity check: f(K, X, msg)
Public Key Crypto
Two keys per user, keys are inverses of each other Public key “BPub” you tell to the world Private key “BPriv” you keep private Yes it’s magic. Why can’t you derive “BPriv” from
“BPub”? And if it’s hard, where did (BPub, BPriv) come from?
Encryption and Integrity
Encryption hides the message from eavesdropper
Question: can eavesdropper change message?o Or: dose encryption ensure message integrity?
With Public Key Encryption:o Eve can replace EBPub(m) with fake: EBPub (m’)
With Secret (shared) Key Encryption:o This seems harder to doo But given c=mk, attacker can send c mask, to invert any bit in
decrypted message (use mask)
Encryption does not ensure integrity!
Public Key VS. Secret Key
In terms of capabilities public key is more powerful.
Public key provides digital signature.
Secret key is much faster than public key
Public Key Digital Signatures: concept
One of the best features of public key An integrity check
calculated as f(priv key, data) verified as f(public key, data, signature)
Verifiers don’t need to know secret key RSA can be used for digital signature scheme
Popular Secret Key Algorithms
DES: old standard, 56-bit key, slow 3DES: fix key size but 3 times as slow RC4: variable length key, “stream cipher”
(generate stream from key, XOR with data)
AES: replacement for DES, will probably take over
Popular Public Key Algorithms
RSA: public key operations can be made very fast, but private key operations will be slow.
ECC (elliptic curve crypto): smaller keys, so faster than RSA (but not for public key ops).
Key Distribution Problem
Secret Key Problem: How do two entities
establish shared secret key over the network?
Solution: Trusted key
distribution (KDC) acting as intermediary between entities
KDC needs shared key with each entity.
Public Key Problem: When Saad obtains
Saeed’s public key (from web site, e-mail, diskette), how does he know it is Saeed’s public key, not eavesdropper’s?
Solution: Trusted certification
authority (CA)
Key Distribution - Secret Keys
Could configure n2 keys Makes the systems unfeasible for large-scale use Instead use Key Distribution Center (KDC)
Every user has a secret key shared with KDC The KDC knows all the users The KDC assigns a key to any pair who need to talk
Key Distribution - Public Keys
Certification Authority (CA) signs “Certificates”
Certificate = a signed message saying “I, the CA, vouch that 489024729 is Saad’s public key”
If everyone has a certificate, a private key, and the CA’s public key, they can authenticate
Key Distribution - Public Keys
Saad Saeed
[“Saad”, key=342872]CA
Auth, encryption, etc.
[“Saeed”, key=8294781]CA
Denial Of Service Attack
Attacker tries to exhaust resources of host/ server/ router/ user
Resources include: Computation (CPU time) Storage (e.g. for state of requests/connections) Open TCP connections
Limited (10s to several thousand connections – depending on hardware, operating system)
SYN flooding DOS attack: attacker sends ‘SYN’ flow (open connection); server waits
SYN flooding DOS attack
Attacker sends many SYN requests (using different spoofed client IP address), no ACK
Uses up server’s capacity for open connections
Firewalls
Firewall:A secure machine (or program), isolating organization’s internal net from larger Internet (or another net), allowing some packets to pass, blocking others
Packet Filtering
Internal network connected to Internet via Router Firewall (packet filtering)
Router filters packet-by-packet, decision to forward/ drop packet based on:
o Source IP address, destination IP addresso TCP/UDP source and destination port numberso TCP SYN and ACK bit (identify client vs. server)
References
Our textbook http://www.aw.com/kurose-ross/ http://www.iec.org http://amir.herzberg.name