Network SecurityNetwork Security
introduction introduction cryptography cryptography authentication authentication key exchange key exchange required reading: text section 7.1 required reading: text section 7.1
Network SecurityNetwork Security
intruder may intruder may
eavesdrop eavesdrop remove, modify, and/or insert messages remove, modify, and/or insert messages read and playback messages read and playback messages
important issues: important issues:
cryptography: secrecy of info being transmitted cryptography: secrecy of info being transmitted authentication: proving who you are and having authentication: proving who you are and having
correspondent prove his/her/itscorrespondent prove his/her/its identity identity
Security in Computer Networks Security in Computer Networks
User resources:User resources: login passwords often transmitted unencrypted in login passwords often transmitted unencrypted in
TCP packets between applications (e.g., telnet, ftp) TCP packets between applications (e.g., telnet, ftp) passwords provide little protection passwords provide little protection
Network resources: Network resources: often completely unprotected from intruder eavesdropping, often completely unprotected from intruder eavesdropping,
injection of false messages injection of false messages mail spoofs, router updates, ICMP messages, network mail spoofs, router updates, ICMP messages, network
management messages management messages
Bottom line: Bottom line: intruder attaching his/her machine (access to OS code, root intruder attaching his/her machine (access to OS code, root
privileges) onto network can override many system-privileges) onto network can override many system-provided security measures provided security measures
users must take a more active role users must take a more active role
EncryptionEncryption
plaintext:plaintext: unencrypted message unencrypted message
ciphertext:ciphertext: encrypted form of message encrypted form of message
intruder may intruder may intercept ciphertext transmission intercept ciphertext transmission intercept plaintext/ciphertext pairs intercept plaintext/ciphertext pairs obtain encryption decryption algorithms obtain encryption decryption algorithms
A simple encryption algorithm A simple encryption algorithm
substitution cipher: substitution cipher:
abcdefghijklmnopqrstuvwxyz abcdefghijklmnopqrstuvwxyz
poiuytrewqasdfghjklmnbvczxpoiuytrewqasdfghjklmnbvczx replace each plaintext character inmessage with matching replace each plaintext character inmessage with matching
ciphertext character: ciphertext character:
plaintext:plaintext: Charlotte, my loveCharlotte, my love
ciphertext:ciphertext: iepksgmmy, dz sgbyiepksgmmy, dz sgby
key is pairing between plaintext characters key is pairing between plaintext characters and ciphertext characters and ciphertext characters
symmetric key:symmetric key: sender and receiver use sender and receiver use same key same key
26! (approx 10**26) different possible keys: 26! (approx 10**26) different possible keys: unlikely to be broken by random trys unlikely to be broken by random trys
substitution cipher subject to decryption using substitution cipher subject to decryption using observed frequency of letters observed frequency of letters 'e' most common letter, ;the' most common word 'e' most common letter, ;the' most common word
DES: Data Encryption Standard DES: Data Encryption Standard
encrypts data in 64-bit chunks encrypts data in 64-bit chunks encryption/decryption algorithm is a published encryption/decryption algorithm is a published
standard standard everyone knows how to do it everyone knows how to do it
substitution cipher over 64-bit chunks: 56-bit substitution cipher over 64-bit chunks: 56-bit key determines which of 56! Substitution key determines which of 56! Substitution ciphers used ciphers used substitution: 19 stages of transformations, 16 substitution: 19 stages of transformations, 16
involving functions of keyinvolving functions of key
decryption done by reversing encryption steps decryption done by reversing encryption steps sender and receiver must use same key sender and receiver must use same key
Key Distribution Problem Key Distribution Problem
problem: how do communicant agree on problem: how do communicant agree on symmetric key? symmetric key? N communicants implies N keys N communicants implies N keys
trusted agent distribution: trusted agent distribution: keys distributed by centralized trusted agent keys distributed by centralized trusted agent any communicant need only know key to any communicant need only know key to
communicate with trusted agent communicate with trusted agent for communication between I and j, trusted agent for communication between I and j, trusted agent
will provide a key will provide a key
we will cover in more detail shortly we will cover in more detail shortly
Public Key CryptographyPublic Key Cryptography
separate encryption/decryption keys separate encryption/decryption keys receiver makes known (!) its encryption key receiver makes known (!) its encryption key receiver keeps its decryption key secret receiver keeps its decryption key secret
to send to receiver B, encrypt message M to send to receiver B, encrypt message M using B's publicly available key, EB using B's publicly available key, EB send EB(M) send EB(M)
to decrypt, B applies its private decrypt key to decrypt, B applies its private decrypt key DB to receiver message: DB to receiver message: compute DB( EB(M) ) gives M compute DB( EB(M) ) gives M
knowing encryption key does not help with decryption: knowing encryption key does not help with decryption: decryption is a non-trivial inverseof encryption decryption is a non-trivial inverseof encryption
only receiver can decrypt message only receiver can decrypt message question: good encryption/decryption algorithms question: good encryption/decryption algorithms
RSA: public key RSA: public key encryption/decryption encryption/decryption
RSA: a public key algorithm for encrypting/decrypting RSA: a public key algorithm for encrypting/decrypting
entity wanting to receive encrypted messages: entity wanting to receive encrypted messages:
choose two prime numbers, p, q greater than 10**100 choose two prime numbers, p, q greater than 10**100 compute n=pq and z = (p-1)(q-1) compute n=pq and z = (p-1)(q-1) choose number d which has no common factors with z choose number d which has no common factors with z compute e such that ed = 1 mod z, i.e., compute e such that ed = 1 mod z, i.e.,
integer-remainder( (ed) / ((p-1)(q-1)) ) = 1integer-remainder( (ed) / ((p-1)(q-1)) ) = 1, i.e., , i.e.,
ed = k(p-1)(q-1) +1ed = k(p-1)(q-1) +1
three numbers: three numbers: e, n made public e, n made public d kept secret d kept secret
RSA (continued)RSA (continued)
to encrypt:to encrypt: divide message into i blocks, bi of size k: 2**k < n divide message into i blocks, bi of size k: 2**k < n encrypt: encrypt: encrypt(bi) = bi**e mod nencrypt(bi) = bi**e mod n
to decrypt: to decrypt: bi = encrypt(bi)**dbi = encrypt(bi)**d
to break RSA to break RSA need to know p, q, given pq=n, n known need to know p, q, given pq=n, n known factoring 200 digit n into primes takes 4 billion years using factoring 200 digit n into primes takes 4 billion years using
known methods known methods
RSA exampleRSA example
choose p=3, q=11, gives n=33, (p-1)(q-1)=z=20 choose p=3, q=11, gives n=33, (p-1)(q-1)=z=20 choose d = 7 since 7 and 20 have no common factors choose d = 7 since 7 and 20 have no common factors compute e = 3, so that ed = k(p-1)(q-1)+1 (note: k=1 compute e = 3, so that ed = k(p-1)(q-1)+1 (note: k=1
here) here)
Further notes on RSAFurther notes on RSA
why does RSA work?why does RSA work? crucial number theory result: of crucial number theory result: of p, qp, q prime then prime then bi**((p-1)(q-1)) mod bi**((p-1)(q-1)) mod
pq = 1pq = 1 using using mod pqmod pq arithmetic: arithmetic: (b**e)**d = b**(ed) (b**e)**d = b**(ed)
= b**(k(p-1)(q-1)+1) for some k = b**(k(p-1)(q-1)+1) for some k
= b b**(p-1)(q-1) b**(p-1)(q-1) ... b**(p-1)(q-1) = b b**(p-1)(q-1) b**(p-1)(q-1) ... b**(p-1)(q-1)
= b 1 1 ... 1 = b 1 1 ... 1
= b = b
Note:Note: we can also encrypt with d and encrypt with e. we can also encrypt with d and encrypt with e. this will be useful shortly this will be useful shortly
How to break RSA?How to break RSA?
Brute force: get B's public key Brute force: get B's public key for each possible bi in plaintext, compute bi**e for each possible bi in plaintext, compute bi**e for each observed bi**e, we then know bi for each observed bi**e, we then know bi more: choose size of bi "big enough" more: choose size of bi "big enough"
man-in-the-middle: intercept keys, spoof identity:man-in-the-middle: intercept keys, spoof identity:
AuthenticationAuthentication
Question:Question: how does a receiver know that remote how does a receiver know that remote communicating entity is who it is claimed to be?communicating entity is who it is claimed to be?
Approach 1:Approach 1: peer-peer key-based authentication peer-peer key-based authentication A, B (only) know secure key for encryption/decryption A, B (only) know secure key for encryption/decryption A sends encrypted msf to B and B decrypts: A sends encrypted msf to B and B decrypts:
A to B: msg = encrypt("I am A")A to B: msg = encrypt("I am A")
B computes: if decrypt(msg)=="I am A"B computes: if decrypt(msg)=="I am A"
then A is verifiedthen A is verified
else A is fradulentelse A is fradulent
failure scenarios? failure scenarios?
Authentication Using Nonces Authentication Using Nonces
to prove that A is alive, B sends "once-in-a-lifetime-only" number (nonce) to A, to prove that A is alive, B sends "once-in-a-lifetime-only" number (nonce) to A, which Aencodes and returns to Bwhich Aencodes and returns to B
A to B: msg = encrypt("I am A")A to B: msg = encrypt("I am A")B compute: if decrypt(msg)=="I am A"B compute: if decrypt(msg)=="I am A" then A is OK so farthen A is OK so farB to A: once-in-a-lifetime value, nB to A: once-in-a-lifetime value, nA to B: msg2 = encrypt(n)A to B: msg2 = encrypt(n)B computes: if decrypt(msg2)==nB computes: if decrypt(msg2)==n then A is verifiedthen A is verified else A is fradulentelse A is fradulent
note similarities to three way handshake and initial sequence number choice note similarities to three way handshake and initial sequence number choice problems with nonces? problems with nonces?
Authentication Using Public KeysAuthentication Using Public Keys
B wants to authenticate A B wants to authenticate A
A has made its encryption key EA known A has made its encryption key EA known
A alone knows DA A alone knows DA
symmetry: DA( EA(n) ) = EA ( DA(n) ) symmetry: DA( EA(n) ) = EA ( DA(n) )
A to B: msg = "I am A"A to B: msg = "I am A"
B to A: once-in-a-lifetime value, nB to A: once-in-a-lifetime value, n
A to B: msg2 = DA(n)A to B: msg2 = DA(n)
B computes: if EA (DA(n))== nB computes: if EA (DA(n))== n
then A is verifiedthen A is verified
else A is fradulentelse A is fradulent
Digital Signatures Using Public Digital Signatures Using Public KeysKeys
Goals of digital signature: Goals of digital signature: sender can not repudiate message never sent ("I never sent sender can not repudiate message never sent ("I never sent
that") that") receiver can not fake a received message receiver can not fake a received message
Suppose A wants B wants to "sign" a message M Suppose A wants B wants to "sign" a message M
B sends DA(M) to AB sends DA(M) to A
A computes if EA ( DA(M)) == MA computes if EA ( DA(M)) == M
then A has signed Mthen A has signed M
Question:Question: can A plausibly deny having sent M? can A plausibly deny having sent M?
Symmetric key exchange: trusted Symmetric key exchange: trusted serverserver
problem:problem: how do distributed entitues agree on a key? how do distributed entitues agree on a key?
assume:assume: each entity has its own single key, which only each entity has its own single key, which only it and trusted server knowit and trusted server know
server: server: will generate a one-time session key that A and B will generate a one-time session key that A and B
use to encrypt communication use to encrypt communication will use A and B's single keys to communicate will use A and B's single keys to communicate
session key to A, B session key to A, B
Symmetric Key exchange: trusted Symmetric Key exchange: trusted serverserver
Preceding scenario: Preceding scenario:
1.1. A sends encrypted msg to S, containing A, B, nonce RA: EA(A,B,RA) A sends encrypted msg to S, containing A, B, nonce RA: EA(A,B,RA)
2. 2. S decrypts using DA, generates one time session key, K, sends S decrypts using DA, generates one time session key, K, sends nonce, key, and B-encrypted encoding of key to A: nonce, key, and B-encrypted encoding of key to A: EA(RA,B,K,EB(K,A)) EA(RA,B,K,EB(K,A))
3. 3. A decrypts msg from S using DA and verifies nonce. Extracts K, A decrypts msg from S using DA and verifies nonce. Extracts K, saves it and send EB(K,A) to B. saves it and send EB(K,A) to B.
4. 4. B decrypts msg using DB, extracts K, generates new nonce RB, B decrypts msg using DB, extracts K, generates new nonce RB, sends EK(RB) to A sends EK(RB) to A
5. 5. A decrypts using K, extracts RB, computes RB-1 and encrypts using A decrypts using K, extracts RB, computes RB-1 and encrypts using K. Sends EK(RB-1) to B K. Sends EK(RB-1) to B
6. 6. B decrypts using K and verifies RB-1 B decrypts using K and verifies RB-1
Public key exchange: trusted Public key exchange: trusted serverserver
public key retrieval subject to man-in-middle attack public key retrieval subject to man-in-middle attack locate all public keys in trusted server locate all public keys in trusted server everyone has server's encryption key (ED public) everyone has server's encryption key (ED public) suppose A wants to send to B using B's "public" key suppose A wants to send to B using B's "public" key
Clipper Chip: technical aspectsClipper Chip: technical aspects
US gov't proposed federal information processing US gov't proposed federal information processing standard (voluntary) standard (voluntary)
obviously need to encrypt many things passed over obviously need to encrypt many things passed over phone line phone line
encryption technique for Clipper (skipjack algorithm) encryption technique for Clipper (skipjack algorithm) highly classified highly classified
voluntarily installed in telecommunications equipment voluntarily installed in telecommunications equipment (existing products) (existing products)
call setup:call setup: A and B want to communicate A and B want to communicate A, B use standard public key techniques to agree on A, B use standard public key techniques to agree on
a session key a session key session key encrypted using clipped chips unit key session key encrypted using clipped chips unit key encrypted session key and unencrypted unit ID put encrypted session key and unencrypted unit ID put
into LEAF (Law Enforcement Access Field) which is into LEAF (Law Enforcement Access Field) which is sent sent
note: LEAF redundant, A and B know session K note: LEAF redundant, A and B know session K session key transmitted so it can be intercepted! session key transmitted so it can be intercepted!
session communication encrypted using session key session communication encrypted using session key
Privacy issuesPrivacy issues
Clipper I:Clipper I: device manufacturers split unit chip key in half: device manufacturers split unit chip key in half: unit chip key hardwired into tamper proof, non reverse-unit chip key hardwired into tamper proof, non reverse-
engineerable chip engineerable chip half in escrow at NIST, half at Treasury half in escrow at NIST, half at Treasury gov't wants to wiretap machine with known unit ID gov't wants to wiretap machine with known unit ID
gov't (e.g., FBI) presents court orders to both agencies, gets unit chip gov't (e.g., FBI) presents court orders to both agencies, gets unit chip key key
uses chip key to determine session key from LEAF uses chip key to determine session key from LEAF unencrypts using session key unencrypts using session key
US gov't outlawed export of greater-than-40-bit key technology US gov't outlawed export of greater-than-40-bit key technology Oct 96: 56 bit key technology selectively exportable for two Oct 96: 56 bit key technology selectively exportable for two
year trial basis year trial basis
Protection against Intruders: Protection against Intruders: FirewallsFirewalls
firewall: network components (host/router+software) firewall: network components (host/router+software) sitting between inside ("us") and outside ("them) sitting between inside ("us") and outside ("them)
packet filtering firewalls: drop packets on basis of packet filtering firewalls: drop packets on basis of source or destination address (i.e., IP address, port) source or destination address (i.e., IP address, port)
application gateways: application specific code application gateways: application specific code intercepts, processes and/or relays application intercepts, processes and/or relays application specific packets specific packets
e.g., email of telnet gateways e.g., email of telnet gateways application gateway code can be security hardened application gateway code can be security hardened can log all activity can log all activity
Security: Internet activitySecurity: Internet activity
IP layer: IP layer: authentication of header: receiver can authenticate sender using authentication of header: receiver can authenticate sender using
messageauthentication code (MAC) messageauthentication code (MAC) encryption of contents: DES, RFC 1829 encryption of contents: DES, RFC 1829
API API SSL - secure socket layer: support for authentication and encryption SSL - secure socket layer: support for authentication and encryption
port numbers: 443 for http with SSL, 465 for smtp with SSL port numbers: 443 for http with SSL, 465 for smtp with SSL
Application Layer Application Layer Privacy Enhanced Mail Privacy Enhanced Mail secure http: supports many authentication, encryption schemes secure http: supports many authentication, encryption schemes
Security: conclusionSecurity: conclusionkey concerns: key concerns: encyption encyption authentication authentication key exchange key exchange
also: also: increasingly an important area as network connectivity increases increasingly an important area as network connectivity increases digital signatures, digital cash, authentication, biometrics increasingly digital signatures, digital cash, authentication, biometrics increasingly
important important an important social concern an important social concern further reading: further reading:
Crypto Policy Perspectives: S. Landau et al., Aug 1994 CACM Crypto Policy Perspectives: S. Landau et al., Aug 1994 CACM Internet Security, R. Oppliger, CACM May 1997 Internet Security, R. Oppliger, CACM May 1997 www.eff.org www.eff.org