04/18/23 Gene Itkis: BU CAS 558 - Network Security 1

CS 558: Network Security

Gene Itkis

04/18/23 Gene Itkis: BU CAS 558 - Network Security 2

Network Security

Overview

04/18/23 Gene Itkis: BU CAS 558 - Network Security 3

Basic scenario

04/18/23 Gene Itkis: BU CAS 558 - Network Security 4

AliceSimplified Scenario

Network:•Internet•intranet•LAN•WAN•…

Bob

How to protect?•Encrypt

•Key agreement

•Authenticate

Eve

Issues:•Protocols•Protection (crypto)

A solution: SSL/TLS

04/18/23 Gene Itkis: BU CAS 558 - Network Security 5

How to protect?

04/18/23 Gene Itkis: BU CAS 558 - Network Security 6

Crypto

Landscape overview

04/18/23 Gene Itkis: BU CAS 558 - Network Security 7

Definitions and Concepts

04/18/23 Gene Itkis: BU CAS 558 - Network Security 8

What is CryptographyCryptography?

It all started with

– EncryptionEncryption / DecryptionDecryption

“attack at midnight”

“buubdl bu njeojhiu”

- plaintext

- ciphertext

04/18/23 Gene Itkis: BU CAS 558 - Network Security 9

Encryption / Decryption (cont.)

encoder

decoder

(plaintext in -ciphertext out)

ciphertext ciphertext msgmsg

(ciphertext in - plaintext out)

(should understand nothingnothing about the msg)

eavesdropper

bla-bla

cmb-cmb-cmbcmb

bla-bla

Shared Key

04/18/23 Gene Itkis: BU CAS 558 - Network Security 10

Crypto tools Encryption/decryption – to hide info Key exchange - to establish shared

key Authentication – to establish shared key

with the party you really meant to– public– private

Signatures Hashing Certificates, PKI

04/18/23 Gene Itkis: BU CAS 558 - Network Security 11

Adversary types

Alice and Bob want to communicate in presence of adversaries– Adversaries:

Passive – just looking Active – may change msgs

AliceAlice

BobBob

04/18/23 Gene Itkis: BU CAS 558 - Network Security 12

Key exchange: man-in-the-middle

Key exchange without Authentication– Subject to Man-in-the-Middle attack

Attacker translates between the keys, reading and/or modifying the messages

– Authentication afterwards will not help!

AliceAlice BobBobShared w/AliceShare

d w/Bob

04/18/23 Gene Itkis: BU CAS 558 - Network Security 13

Authentication

M

AliceAlice

BobBob

•Alice sends a msg M to Bob •Bob wants to be sure M is really from Alice

04/18/23 Gene Itkis: BU CAS 558 - Network Security 14

Signatures

AliceAlice

BobBob

SAliceAlice

SigM= Sign(M, SAliceAlice )

(M, SigM)

Verify(M, SigM, …)

04/18/23 Gene Itkis: BU CAS 558 - Network Security 15

Authentication: “public”

AliceAlice

BobBob

• checks• contracts•…

04/18/23 Gene Itkis: BU CAS 558 - Network Security 16

Public Key Signatures

PAliceAlice

AliceAliceBobBob

SAliceAlice

SigM= Sign(M, SAliceAlice )

= (M, SigM)

Verify(M, SigM, PAlice Alice )

Public Key Secret Key

ProblemProblem: How to authenticate: How to authenticate PAliceAlice ??

04/18/23 Gene Itkis: BU CAS 558 - Network Security 17

Certificates

“This public key PAliceAlice really belongs to Alice. Signed by Charlie, Certification Authority”

Certificates can be public! Who’s Charlie?!?Who’s Charlie?!?

AliceAliceCharlie,Charlie,

CACA

SAliceAlice

Public Key Secret Key

PAliceAlice

PAliceAlice

CA

04/18/23 Gene Itkis: BU CAS 558 - Network Security 18

Public Key Infrastructures (PKI) Root CA public key

– Obtained out-of-band– Certifies other Public Keys

(of CAs, or users) Certification Chains Grain of salt: so, you have a

certificate… To be continued…

04/18/23 Gene Itkis: BU CAS 558 - Network Security 19

Back to Signatures

AliceAlice

BobBob

SAliceAlice

SigM= Sign(M, SAliceAlice )

= (M, SigM)

Verify(M, SigM, …)

04/18/23 Gene Itkis: BU CAS 558 - Network Security 20

Authentication: “private”AliceAlice

BobBob

SAliceAlice

SigM= Sign(M, SAliceAlice )

= (M, SigM)

SAliceAlice

Verify(M, SigM, SAliceAlice ) :

Check SigM= Sign(M, SAliceAlice )

Message Authentication Code (MAC)Sign(M, SAliceAlice )=Hash(M, SAliceAlice )

MAC = “Shared Secret Sig” = Symmetric Sig (Sign=Verify)

04/18/23 Gene Itkis: BU CAS 558 - Network Security 21

Hashing

Crypto Hash:collisions may exist, but

are hard to find Given y hard to find x, s.t. Hash(x)=y

Used for: Symmetric signatures “Fingerprint” for Public Key signatures

x1 Hash y

x2collision

04/18/23 Gene Itkis: BU CAS 558 - Network Security 22

Another setting

AliceAlice

BobBob

04/18/23 Gene Itkis: BU CAS 558 - Network Security 23

04/18/23 Gene Itkis: BU CAS 558 - Network Security 24

04/18/23 Gene Itkis: BU CAS 558 - Network Security 25

04/18/23 Gene Itkis: BU CAS 558 - Network Security 26

04/18/23 Gene Itkis: BU CAS 558 - Network Security 27

04/18/23 Gene Itkis: BU CAS 558 - Network Security 28

04/18/23 Gene Itkis: BU CAS 558 - Network Security 29

04/18/23 Gene Itkis: BU CAS 558 - Network Security 30

04/18/23 Gene Itkis: BU CAS 558 - Network Security 31

04/18/23 Gene Itkis: BU CAS 558 - Network Security 32

04/18/23 Gene Itkis: BU CAS 558 - Network Security 33

04/18/23 Gene Itkis: BU CAS 558 - Network Security 34

04/18/23 Gene Itkis: BU CAS 558 - Network Security 35

04/18/23 Gene Itkis: BU CAS 558 - Network Security 36

04/18/23 Gene Itkis: BU CAS 558 - Network Security 37

04/18/23 Gene Itkis: BU CAS 558 - Network Security 38

04/18/23 Gene Itkis: BU CAS 558 - Network Security 39

04/18/23 Gene Itkis: BU CAS 558 - Network Security 40

04/18/23 Gene Itkis: BU CAS 558 - Network Security 41

04/18/23 Gene Itkis: BU CAS 558 - Network Security 42

04/18/23 Gene Itkis: BU CAS 558 - Network Security 43

04/18/23 Gene Itkis: BU CAS 558 - Network Security 44

04/18/23 Gene Itkis: BU CAS 558 - Network Security 45

04/18/23 Gene Itkis: BU CAS 558 - Network Security 46

04/18/23 Gene Itkis: BU CAS 558 - Network Security 47