Lecture 9 - Network Security TDTS (ht1)

Lecture 9 - Network Security

TDTS41 - 2006 (ht1)

Prof. Dr. Christoph Schuba

Linköpings University/IDA

[email protected]

• Reading: [Hal05] §10.1-10.2.3;

§10.2.5-10.7.1; §10.8.1

• Office hours: 9-10am on Oct. 4+5, 11+12, 25+26 Nov. 1+2, 8+9

or by appointment via e-mail

Overview

• Security Goals

• Encryption Technologies

• Non-repudiation

• Authentication

• Public Key Certification

• E-mail Privacy

• Network and Web Security

Security Goals

• Confidentiality:

Property that data is not disclosed in an unauthorized manner

• Integrity:

Property that resources/data have not been modified in an unauthorized manner

• Authenticity:

Assertion about entity identities or the origin of information

• Non-repudiation:

Concept that integrity and origin of data are verifiable

• Availability:

Timely, reliable access to resources by authorized entities

Encryption Technologies

• The model: see [Fig. 10.1]

• Terminology:

– plaintext (P, m) vs. ciphertext (C, c) – encryption E() vs. decryption D() – key K

– active vs. passive attacks

• eavesdropping, masquerading

Figure 10.1 Data encryption terminology

Two Types of Cryptosystems

• Conventional cryptosystems: E_K and D_K

– Both E_K and D_K must remain secret – E_K = D_K or E_K ≠ D_K

• Public-key cryptosystems: R_S and R_P

– R_S ≠ R_P

– One key (private key) must remain private – Other key (public key) can be published

Conventional Cryptosystems (aka Private Key Systems)

• Age-old Technology:

– Substitution, Transposition, and Product Ciphers

• Benefits:

– Well studied and understood – High performance

• Drawbacks:

– Key distribution problem

Substitution Ciphers

• Each characters in the plaintext is substituted for another character in the ciphertext

• Four classical types:

– Simple substitution cipher (aka monoalphabetic cipher)

– Homophonic substitution cipher – Polygram substitution cipher

– Polyalphabetic substitution cipher

Simple Subsitution Cipher

• Caesar Cipher (B.C.)

– Each plaintext character is replaced by the character 3 to the right, modulo 26

• c = E(m) := (m+3) % 26

• m = D(c) := (c+23) % 26

• ROT13

– Every letter is rotated 13 places

• c = E(m) := (m+13) % 26

• m = D(c) := (c+13) % 26

Homophonic Substitution Cipher

• Duchy of Mantua (1401)

• Same as monoalphabetic substitution cipher, but each plaintext character maps to several characters of ciphertext, any of which can be chosen

• Example: Encryption:

• A -> 5, 13, 25, or 56

• B -> 7, 19, 31, or 42

• Used to smooth out observable statistical patterns

Polygram Substitution Cipher

• Leon Battista (1568)

• Blocks of plaintext characters are mapped to corresponding blocks of ciphertext characters

• Example: Encryption:

• ABA -> RTQ

• ABB -> SLL

• Examples:

– Vignère cipher (1586) – Beaufort cipher

Polyalphabetic Substitution Cipher

• Monoalphabetic ciphers with multiple keys

• Trick: increase the number of keys (period) to get better security

• In the extreme: Running Key Cipher:

– Increase the period to the length of the plaintext

Transposition Ciphers

• The plaintext remains the same, but the order of characters is modified

• Example:

– Encryption: Write plaintext in rows, then read it out in columns

– Decryption: Write ciphertext in columns, then read it out in rows

– What is the key?

• Rotor machines, e.g., Enigma (WW II)

Excursion: Enigma

http://en.wikipedia.org/wiki/Enigma_machine

Product Ciphers

• Use a combination of substitutions and transpositions

• Transpositions aka permutations (P-Boxes)

– Three types [Fig. 10.2 (a)]:

• (i) straight

• (ii) expanded

• (iii) compressed

• Subsitutions: defined through S-Boxes

– Needed to reduce the size of keys!

– See [Fig. 10.2 (b)]

Figure 10.2 Product cipher components: (a) P-box examples

Figure 10.2 Product cipher components: (b) S-box example

Example of a Product Cipher

• See [Fig. 10.3]: a combination of substitutions and transpositions

• Combination of P-Boxes and S-Boxes

• Popular technology:

– DES - Data Encryption Standard

– AES - Advanced Encryption Standard

– IDEA - International Data Encryption Algorithm – and many more

Figure 10.3 Example of a product cipher

The Data Encryption Standard

• NIST: 1972 and 1974: Call for proposals

• 1976: Federal Standard, ratified ANSI 1981

• Block cipher: data blocks are 64 bits

• Key size: 56 bits

• Key is used to select 16 keys of 48 bits each see [Fig. 10.4 (a)]

Figure 10.4 DES algorithm principles: (a) overall schematic

Figure 10.4 DES algorithm principles: (b) substitution schematic

Figure 10.4 DES algorithm principles: (c) substitution operation

Triple DES

• Problem: brute force attack against a 56-bit long key is now feasible

• Interim solution: apply DES multiple (three)

times, giving it an effective security of 112 bits

• Illustrated in [Fig. 10.5]

Figure 10.5 Triple DES schematic

DES Modes of Operation (Chaining)

• Electronic Code Book (ECB)

– ciphertext blocks are independent of each other

• Chain Block Cipher (CBC)

– current plaintext is x-or'ed with previous

ciphertext to gain stream integrity properties

• Cipher Feedback Mode (CFM)

– similar to CBC, but operating on 8-bit boundaries

• Detailed figures in [Hal05 Fig. 10.6]

Two Types of Cryptosystems

• Conventional cryptosystems: E_K and D_K

– Both E_K and D_K must remain secret – E_K = D_K or E_K ≠ D_K

• Public-key cryptosystems: R_S and R_P

– R_S ≠ R_P

– One key (private key) must remain private – Other key (public key) can be published

Figure 10.8 RSA schematic

Public-key Cryptosystems (aka Public Key Systems)

• Fairly recent technology (1976)

– DH, RSA, ECC

• Benefits:

– Very flexible

– Can provide confidentiality, integrity,

authenticity, and non-repudiation services

• Drawbacks:

– Lower performace than conventional cryptography

Public-key Cryptography

• Alice and Bob (X) each have their own private/public key pair (K^-_X,K⁺_X):

• Confidentiality, Integrity, and Autenticity are then accomplished by combining encryptions and decryptions in the right combination

Private Key Public Key Alice

Bob

K^-_A K⁺_A K^-_B K⁺_B

Security Goals

• Notation: {m}K^-_X means that message m is encrypted by X using his own private key K^-_X

• Confidentiality and Integrity:

A->B: {m}K⁺_B

• Authenticity and Nonrepudiation:

A->B: {m}K^-_A

• All four goals at once:

A->B: {{m}K^-_A}K⁺_B

More on Authentication

• Authenticity: Assertion about entity identities or the origin of information

• Authentication using a public key system:

[Fig. 10.10]

• Authentication using a private key system:

[Fig. 10.11]

Figure 10.10 User authentication using a public key scheme

The Kerberos System

• Concept of a Trusted Third Party

• Key Dristribution Server

• Tickets and Ticket Granting Server

• Service Server

Figure 10.11 User authentication using Kerberos: (a) terminology and message exchange

Figure 10.11 User authentication using Kerberos: (b) key and ticket definitions

Figure 10.11 User authentication using Kerberos: (c) message contents

Hash Functions and

Message Authentication Codes (MAC)

• Many names, same basic building block:

– hash function, one-way hash function, compression function, contraction function, message digest,

fingerprint, cryptographic checksum, message integrity check, manipulation detection code

• Properties: hash value := H(pre-image)

– One-way: Computing H() is easy, H^-1() is hard

– Collision-free: It's hard to find two pre-images with same hash value

– Hash function definition is public

• MAC: H(pre-image | secret key)

Public Key Certification

• Problem:

– Assertion of the binding: K⁺_A to A – Possible attack in [Fig. 10.12]

• Countermeasure:

– Certificate: digitally signed binding between public keys and their principals

– Content: issuer name, serial#, subject name, public key, validity period, signature – Typically organized in a hierarchy:

Public key certification hierarchy (PKI)

Figure 10.12 A possible threat when using a public key system

Public-key Certification Hierarchy

Subject

Issuer name

Subject's public key Signature {m}K^- Certificate

Public-key Certification Hierarchy

[email protected] K⁺[email protected]

Subject

Issuer name

Subject's public key Certificate

Subject: [email protected] Subject's public key: K⁺[email protected]

Public-key Certification Hierarchy

[email protected] ca-student.liu.se

K⁺[email protected]

{m}K^-ca-student.liu.se

Subject

Issuer name

Subject's public key Signature {m}K^- Certificate

m := ([email protected], K⁺[email protected] )

Public-key Certification Hierarchy

[email protected] ca-student.liu.se

K⁺[email protected]

{m}K^-ca-student.liu.se

Subject

Issuer name

Subject's public key Certificate

ca-student.liu.se ca-liu.se

K⁺ca-student.liu.se

{m}K^-_ca-liu.se

Public-key Certification Hierarchy

[email protected] ca-student.liu.se

K⁺[email protected]

{m}K^-ca-student.liu.se

Subject

Issuer name

Subject's public key Signature {m}K^- Certificate

ca-student.liu.se ca-liu.se

K⁺ca-student.liu.se

{m}K^-_ca-liu.se ca-liu.se

ca-se

K⁺_ca-liu.se {m}K^-_ca-se

Public-key Certification Hierarchy

[email protected] ca-student.liu.se

K⁺[email protected]

{m}K^-ca-student.liu.se

Subject

Issuer name

Subject's public key Certificate

ca-student.liu.se ca-liu.se

K⁺ca-student.liu.se

{m}K^-_ca-liu.se ca-liu.se

ca-se

K⁺_ca-liu.se {m}K^-_ca-se

Well known: K⁺_ca-se

E-mail Privacy

• Confidentiality: Property that data is not disclosed in an unauthorized manner

• Important application with day to day value

• Most popular examples:

– PGP: Pretty good privacy (PGP)

• Combination of MD5, RSA, IDEA, Base64, and Ziv- Lempel

– PEM: Privacy enhanced mail

• Internet Standard

• See [Fig. 10.13] for details

Network Security IP Security (IPSec)

• IPSec history:

– SKIP vs. IPSec and IPv6 vs. IPv4

• Technical contents:

– Authentication Header (AH)

– Encapsulating Security Payload (ESP) – Security Association (SA)

– Security Parameter Index (SPI) – Internet Key Exchange (IKE)

• Integrated into network layer

• End-to-End vs. Tunnel modes

Figure 10.15 AH protocol header position and contents in transport mode

Web Security

Secure Socket Layer (SSL)

• History:

– SSL vs. TLS (Transport Layer Security) – Netscape and the IETF

• Layered on top of TCP

• Ever noticed http vs. https in a URL?

• Notion of a session

Figure 10.19 The secure socket layer (SSL) protocol: (a) protocol stack

SSL - Protocol Phases

• Authentication (using a CA)

• Cryptographic algorithm negotiation

• Session Key exchange

• Transaction initiation

• Transaction information transfer

Figure 10.19 The secure socket layer (SSL) protocol: (b) outline of the authentication and transaction initiation phases

Questions?