ECE 428 Network Security

ECE 428

2

Learning objectives

• Security requirements and tools

• Symmetric-key (secret key) cryptography

– Substitution, transposition, and product ciphers (DES)

• Public key cryptography: RSA algorithm

• Entity authentication using cryptography

• Symmetric-key distribution protocols

• Digital signature

• Public-key certification

• Internet Security

Security Requirements

• Privacy (Confidentiality)

– Ability to keep info. exchanged between parties private

• Observer should not be able to recover info.

• Stronger: an observer cannot determine the parties.

• User Authentication

– Ability of the parties to ascertain their identities.

• Data Authentication (Data Integrity)

– Ability to ascertain that information exchanged has not been

subject to addition, deletion, modification, or undue delay.

4

Security tools

• Privacy (Confidentiality)

– Encryption: A process of transformation: C = E

_K

(M)

– Decryption: Recover the original msg.: M = D

_K

(C)

– Idea:

It should be computationally infeasible for an observer of C to recover either K or M (in a reasonable time).

• Data Authentication (Data Integrity)

– Hashing

• Create a message digest H(M).

• Even a 1-bit change in M will produce a large change (50%) in H(M).

• Non-repudiation (User integrity)

Types of Attackers

• Passive

– Intercept information as it passes.

– If data is encrypted, try to break it.

• Active

– Attacker listens.

6

Properties of cryptographic systems

• Conventional cryptographic systems (symmetric)

– Encryption: C = E

_K

(M)

– Decryption: M = D

_K

(C)

• Confusion

– Process of substituting characters or symbols to make

• Complex relationship between ciphertext and key

• Complex relationship between ciphertext and plaintext

• Diffusion

– Process of spreading the effect of plaintext or key as widely as

possible over ciphertext

Kerckhoff’s Principle

• Attacker knows everything about cryptosystem

except the key.

 All algorithms are public.

 Only the keys are secret.

8

Cryptography (Secret writing)

Internet

Sender

Receiver

Plaintext

Plaintext

Encryption

Decryption

Ciphertext Ciphertext

Key

Key

Alice

_Bob

Eve

Crypto. world: Symmetric-key (secret-key)

Asymmetric-key (public-key)

Alg. ≡ Cipher

Symmetric-key Cryptography

• The same key is used by both parties.

• Traditional ciphers: Unit of data is a character

– Transpositional cipher: Characters

– Substitution cipher (Caesar cipher)

10

Transposition

• Rearrange the order of the letters according to

some predetermined pattern.

– A common method is columnar transposition.

• Write M in a matrix, then rearrange the columns.

Transpositional cipher: Example

• Key

A F I T R S R G I E O E A A O N S D D U R E

1 2 3 4 5 6 7 8

Encryption Decryption

Plaintext

1-3 2-6 3-4 4-1 5-2 6-8 7-5

12

Substitution Cipher

Idea: Message symbols are mapped into permuted set of symbols.

•

Monoalphabetic: A P, B W, C  E, D  K, …

•

Polyalphabetic: Vigenere cipher (16

th

_{century cipher)}

Example: K = CIPHER {2, 8, 15, 7, 4, 17}

Plaintext = thiscryptosystemisnotsecure

Encryption: Add the key to the plain text  mod 26 19 7 8 18 2 17 24 15 19 14 18 24 …..

2 8 15 7 4 17 2 8 15 7 4 17 ….. ---21 15 23 25 6 8 0 23 8 ---21 22 15 … V P X Z G I A X I V W P …

Substitution Cipher

•

Polyalphabetic: Hill Cipher (1929)

Idea: Encryption: y = xK

x and y are rows of m elements; K is an m x m matrix

Decryption: x = yK

-1

Example: K = 11 8 K

-1

= 7 18

3 7 23 11

14

Cryptanalysis of Ciphers

Observation – letters do not appear equally in English text.

A C E G I K M O Q S U W Y 14% 12 10 8 6 4 2 0

Cryptanalysis of Substitution Cipher

• Analyze a large volume of ciphertext for letter

frequency.

• If frequencies are close to natural English only

mapped to different letters, try replacement.

16

Product Cipher

S11 S12 S13 S14 S21 S22 S23 S24 St1 St2 St3 St4 m1 m2 m3 m12 c1 c2 c12

S

₁

P

₁

S

₂

P

_t-1

S

_t

Data Encryption Standard: History

• Late 1960s: IBM set up a security project headed by Horst Feistel.

• 1971: Alg. LUCIFER sold to Lloyd’s for use in cash-dispensing.

• 1971: Another project headed by Tuchmann/Meyer to refine LUCI

• 1973: NBS (now NIST) issued an RFP for cipher standard

• IBM submitted the Tuchmann/Meyer work

• 1977: NBS accepted Tuchmann/Meyer work as DES (

56-bit key

)

• S-boxes were classified

• 1994: NIST reaffirmed DES for federal use for another 5 years

• 1999

18

Figure 1: Classical Feistel Network

20

Figure 2: Feistel Encryption and Decryption

16 15

LE



RE

16 15

(

15

,

16

)

RE



LE



F RE

K

1 0 16 15

LD



RD



LE



RE

1 0 0 16 16 15 16 15 15 16 15 16

(

,

)

(

,

)

[

(

,

)]

(

,

)

RD

LD

F RD K

RE

F RE

K

LE

F RE

K

F RE

K















[

A



B

]



C



A



[

B



C

]

0

D



D



0

E

 

E

Example of Reversibility

22

24

26

28

F-box design criteria

• Good Avalanche property

• A change in 1 bit of the input should produce a change in many output bits.

• Special case: Strict Avalanche Condition (SAC)

– Any output bit j should change with probability 0.5 when any single input bit is inverted.

• Bit Independence Criterion (BIC)

• Output bits j and k should change independently when any single input bit i is inverted.

• Note

S-box design criteria

• Guaranteed Avalanche (GA) of order r

– 1–bit change in input provides at least r bit change in output. – GA in the range of order 2-5 provides strong diffusion property.

• If two inputs to an S-box differ in exactly 1 bit,

– The outputs must differ in at least 2 bits.

• Each row of an S-box should include all 16 possible bit

combinations.

• Box size

– Larger box: more resistant to cryptanalysis, but more difficult to design.

30

P-box design criteria

• The 4 o/p bits of each S-box

– affect SIX different S-boxes on the next round, and – no two affect the same S-box.

• The 4 o/p bits from each S-box at round i are distributed

by P-box so that

– 2 of them affect middle bits of round i+1, and the other – 2 bits affect end bits.

Triple DES

Encrypt DES Decrypt DES Decrypt DES Encrypt DES

K1

K2

K1

K2

64-bit plaintext

64-bit plaintext

32

Advanced Encryption Standard

• Size of data block: 128

bits

• Key sizes

– 128 bits (10 rounds) – 192 bits (12 rounds) – 256 bits (14 rounds) • Structure of round i Byte Substitution 128-bit data Byte Permutation MixColumn AddRoundKey



Ki

128-bit data

Public-key cryptography

• In public-key crypto: the two keys are different

– Public key: use to encrypt

– Private key: use to decrypt

• Every user has two keys

– Distribute the public key.

34

Public-key cryptography: The RSA algorithm

• Rivest, Shamir, and Adleman alg.

(commonly used)

– Sender wants to send plaintext P

• Public key: (N, e)  P < N

• Encryption alg.: C = Pe mod N (C is the remainder of mod.) • Transmit ciphertext C.

– Receiver receives ciphertext C

• Private key: (N, d)

• Decryption alg.: P = Cd mod N • P is the plaintext received.

Public-key cryptography: The RSA algorithm

• Choosing Public and Private keys

– Choose two large prime numbers p and q.

– Compute N = p x q.

– Choose e < N such that

• e and (p – 1)(q – 1) are relatively prime

– Relatively prime: no common factor except 1 – Example: 25 and 27 are relatively prime.

– Choose d such that

36

Example

• Select two prime numbers: p = 17, q = 11. • Calculate N = p*q = 17*11 = 187.

• Calculate (N) = (p-1)*(q-1) = 16*10 = 160.

– (N) is Euler’s Totem Function

• Select e such that (Choose e = 7)

– e is relatively prime to (N) and – e < N.

• Determine d such that

– d*e ≡ 1 mod 160 and – d < 160

Let d = 23, because 23*7 = 161 = 1*160 + 1

• The two keys are:

• Public key: [e, N] = [7, 187] • Private key: [d, N] = [23, 187]

Example

• Choose a 1-byte message M = 01011000 (= 88 in decimal) • Encrypt: C = 887 _{mod 187}

= [(884 _{mod 187) * (88}2 _{mod 187) * (88}1 _{mod 187)] mod 187.}

= [ 132 * 77 * 88 ] mod 187. = 11 (decimal): 00001011

• Decrypt: M = 1123 mod 187

= [(115_{mod 187) * (11}5 _{mod 187) * (11}5 _{mod 187) *}

(115 _{mod 187) * (11}3 _{mod 187)]} mod 187

= [ 44 * 44 * 44 * 44 * 22] mod 187 = 88

38

Public-key cryptography: The RSA algorithm

• Choosing a prime number

– Choose a random number M in the desired range.

• If M is prime, we are done.

• If not, search around M (What is the search space?)

– Result from number theory: The primes near M are spaced on the average one every ln(M) integers.

– Since even numbers can be ignored, one needs to test ln(M)/2 odd integers around M.

– Example: for M = 2200, ln(M)/2 = 70 searches.

• Finding relatively primes

(Dis)Advantages of Crypto Systems

• Secret Key

• Advantages

– Efficient; Often used for long messages

• Disadvantages

– Large number of keys: N users  N(N-1)/2 symmetric keys – Problem in key distribution

• Public Key

40

Entity Authentication

• Identity of a party is verified for the entire duration of access.

• Two approaches

– Password

Entity Authentication with Symmetric-key Crypto.

• First approach (Password authentication)

• Alice sends (Alice, password) encrypted with the symmetric key to Bob. • Security flaw

– Eve intercepts the message

42

Entity Authentication with Symmetric-key Crypto.

• Second approach (1-way authentication)

• Use challenge text (nonce)

• Nonce: A large random number that is used only once.

Alice

xyz

Encrypt(xyz)

Entity Authentication with Symmetric-key Crypto.

• Second approach (2-way authentication)

Alice, X

Y, encrypt(X)

44

Symmetric-key distribution

•

Issues in key distribution: Assume N parties

•

N(N – 1)/2 secret keys

•

Each party stores (N – 1) keys

•

A symmetric key is useful if it is treated as a

session key.

•

Example protocols: for securely acquiring keys

•

Diffie-Hellman Protocol

•

Key Distribution Center (KDC)

•

Needham-Schroeder Protocol

Diffie-Hellman Protocol

– Executed over the Internet

R1

R2 = G

y

mod N

R2

Alice

N and G are large primes known to both.

Bob

46

Diffie-Hellman: Man-in-the-Middle Attack

R1 = G

x

mod N

R1

R2 = G

z

mod N

R2

R2

R3 = G

y

mod N

R3

K1 = (R2)x mod N K2 = (R2)y mod N K1 = (R1)z mod N K2 = (R3)z mod N K1 = Gxz _{mod N K2 = G}zy _{mod N}

Diffie-Hellman: Man-in-theMiddle Attack

• Diffie-Hellman

– Strength

• Difficult to break: finding x from R1 and y from R2

is difficult.

– Weakness:

• Sending R1 and R2 as plaintext.

• Man-in-the-Middle attack

48

Key Distribution Centre: for a session key

Alice, Bob

KA(KAB, KB(Alice, Bob, KAB))

Alice

KDC

Bob

KB

(Alice, Bob, KAB)

ticket

Vulnerable to replay attack.

(KA: Sym key)

Needham-Schroeder Protocol: for a session key

Alice

Alice

KDC

Bob

RA, Alice, Bob, KB(RB) KB(RB)

KA(RA,Bob,KAB,KB(KAB,Alice,RB))

KAB(R1), KB(KAB, Alice, RB)

(KB: Sym. Key) (KA: Sym. Key)

50

Other Services from a Secure System

• Message authentication

– The receiver needs to be sure of the sender’s identity.

• Message integrity

– The data must arrive at the receiver exactly as they were sent.

• Nonrepudiation

– The receiver must be able to prove that a received message came from a specific sender.

Digital Signature

• When you send a document, sign (encrypt) it.

• Sign the whole document.

– The sender uses his private key to encrypt the message. – The receiver uses the public key to decrypt the message.

• Authentication using DS

– Alice (encrypts with own private key)  Bob (Decrypts with Alice’s public key)

– If Eve tries to impersonate Alice

» Eve (encrypts with own private key)  Bob (Decrypt with Alice’s public key): Bob rejects the message

52

Digital Signature

• Nonrepudiation using DS

• A trusted 3rd party saves the messages received by Bob from Alice. • In case of a dispute

– Bob appeals to the 3rd _party.

– Bob shows that encrypting and decrypting the saved message with Alice’s private and public keys can create a duplicate of the saved message.

Signing the digest

Message Encrypt Alice’s private key

+

Message Transmit to Bob Internet Message Hash Digest Alice Bob

Hash function examples: Message Digest 5 (MD5) Secure Hash Alg. 1 (SHA1)

54

Public-key Certification

• Bob owns two items: <private key, public key>

– The public key is distributed

– Problem

• Maintaining the association <Bob, public key> • Susceptible to impersonation by Eve.

• Bob wants two things

– He wants people to know his public key.

– He wants no one to accept a public key forged as Bob’s.

• Certification Authority

– Binds <Public key, Bob>

Certification Authority (CA)

• Bob  CA: message is Bob’s ID

• CA  Bob: asks for Bob’s public key

• Bob  CA: Bob sends PKCA(public key)

• CA

• Writes the public key of Bob on a certificate (C) • Makes a message digest from the certificate (D). • Encrypts the digest with its own private key (ED).

• CA  Bob: <C, ED>

56

Certification Authority (CA): X.509

• CA solves the problem of public-key fraud.

• Side effect: Certificates may be in different format

• X.509 describes certificates in a structured way

• Version: Version # of X.509

• Serial number: The unique ID used by the CA • Signature: The certificate signature

• Issuer: The name of the CA defined by X.509 • Validity Period: Start and end period

• Subject: The entity whose public key is being certified • Public key: The public key and the algorithms that use it

Kerberos: Authentication protocol + KDC

AS TGS 1 2 3 4 5 6

Request ticket for TGS Alice

Alice-TGS session key and ticket for TGS Request ticket for Bob

Alice-Bob session key and ticket Request service

58

Kerberos Example

Alice KA(KS, KTG(Alice,KS)) Alice AS _TGS Server (Bob) KS(T), Bob, KTG(Alice,KS) KS(Bob,KAB), KB(Alice,KAB) KAB(T), KB(Alice,KAB) KAB(T + 1)

(KA: Sym. Key of Alice generated on the fly)

KS: Session key for comm with TGS

Security in the Internet

• IP layer security

– Complicated: multiple services (TCP, OSPF, ICMP)

– Not effective unless there is wider participation

– IPSec: prevailing technology

• Transport layer security

– Secure Socket Layer (SSL)

60

IPSec

• Provides a framework and mechanism

– No concrete encryption or authentication method

• Requires a logical connection between two hosts

– Security Association (SA) protocol: signaling protocol

– Connectionless IP  Connection-oriented IP

• Simplex connection

• Elements of a conn.: ID, security protocol type, source IP addr

• Operates in two modes

– Transport mode: security service to the upper-layer

– Tunnel mode: security service to the tunneled packets

IPSec: two modes

Transport mode

IP Header The rest of the packet

IP Header IPSec header The rest of the packet

IP Header The rest of the packet IPSec header

New IP Header

Tunnel mode

62

IPSec: two security protocols

• Two security protocols

– Authentication Header (AH)

– Encapsulating Security Payload (ESP)

• Authentication Header protocol

– Authenticate the source host

– Ensure the integrity of the payload in the IP packet

– Does not provide privacy (no encryption)

– What does it do?

• Calculate a message digest (use a hash function + sym. key) • Insert the digest in the AH header (location is mode dependent)

IPSec: AH

IP Header IPSec header The rest of the packet Padding

Next header Payload length Reserved Security parameter index (conn. ID)

Sequence number

Protocol = 51

Protocol = Original “protocol” field

even length

8 bits 8 bits 16 bits

Used in calculating digest => Packet carries an AH

64

IPSec: ESP

IP Header Rest of the payload

IP Header ESP Header Rest of the payload ESP Trailer Authentication

Data

Encrypted Authenticated

Security parameter index

Sequence number _{Pad length Next header}

8 bits 8 bits Padding 32 bits 32 bits Original IP packet 50 in bytes

Transport Layer Security (TLS)

IP TCP

TLS

Application (HTTP) General Idea

Two parties agree on THREE protocols

- Entity authentication protocol (2-way) - Message authentication protocol

66

Transport Layer Security (TLS)

TCP TLS Record Protocol Application (HTTP) Handshake Protocol Change cipher spec Protocol Alert Protocol TLS

TLS: Entity authentication (Handshake protocol)

Establish security capabilities

Server authentication and key exchange

Client authentication and key exchange Phase I

Phase II

Phase III

68

TLS: Entity auth. (Handshake protocol)

• Phase I

– Client/ server announce their security capabilities.

– Choose that are agreeable to both.

– Establish a session ID.

– Choose a cipher suite.

TLS: Entity auth. (Handshake protocol)

• Phase II

• The server authenticates itself.

• The server may send its certificate, its public key, and

request a certificate from the client.

• Phase III

• The client authenticates itself (if required)

• May send a secret to be used in calculation of session

keys.

70

TLS: Entity auth. (Handshake protocol)

• Parameters

• Session ID: arbitrary byte sequence chosen by server

• Peer certificate: an X509 certificate of the peer (null?)

• Compression method: (optional) used before encrypt.

• Cipher spec.: data encryption algorithm (null/DES/..),

message digest algorithm (MD5/SHA)

TLS: Entity authentication (Handshake protocol)

Client Server ClientHello ServerHello Certificate ServerKeyExchange CertificateRequest ServerHelloDone Certificate ClientKeyExchange optional

72

TLS: Record Protocol

Data from above Compression

Compressed data Hash

Compressed data Digest

Encryption

Encrypted data Header

Application layer security

• Pretty Good Privacy (PGP)

– Developed for sending email

– Provides all the four aspects of security

• privacy, integrity, authentication, and

non-repudiation

74

PGP at the sender (Alice)

Email Hash Encrypt + _Email Alice’s private key

Digest Signed digest

Encrypt Encrypt One-time Secret key Bob’s public key + Transmit

PGP at the receiver (Bob)

Decrypt Decrypt Encrypted (secret key) Encrypted (message + digest) Bob’s private key One-time Secret key Email Hash Decrypt

76

Firewalls

• Need for a firewall

– Digital Signature + encryption cannot prevent Eve from

sending a harmful message to a system.

• Firewall

– A router or a computer + packet filtering mechanism

– Installed on the outer edge of an internal network

Internal network Internet Incoming packets Outgoing packets

Firewall

Firewall

• Example of packet filtering

– Drop all packets from a specific host

– Drop some kinds of packets to a specific host

• Two classes of firewall

– Packet-filter firewall: TCP/IP level

78

Packet-filter firewall

Internal network

Internet 1 2

Interface Source IP Source port Destination IP Destination port

1 1 1 2 129.97.0.0 * * * * * * * * * 195.75.20.8 * * (any) 23 (Telenet) * 80 (HTTP) 1. Incoming packets from network 129.97.0.0 are blocked.

2. Incoming packets destined for internal TELENET server are blocked. 3. Incoming packets destined for internal host 195.75.20.8 are blocked 

internal use only.

4. Outgoing packets destined for an HTTP server are blocked  Your employer does not want you to browse the Internet.

Proxy Firewall

• Application level?

– Enforce policies

• Ex.: Users with previous business relations with the

company can have access – others are blocked

80

Proxy Firewall

Internet HTTP Proxy (Application Gateway) All HTTP packets Accepted packets HTTP Server Errors Firewall

82

Background material for the RSA algorithm

• Given a positive integer n, Zn = {0, 1, 2, …, n-1}  Known as residue classes modulo n.

• Two integers are relatively prime if their only common positive integer factor is 1. – Examples: 25 and 27 are relatively prime; 18 and 4 are not.

• Two integers a and b are said to be congruent modulo n (n > 0), if

(a mod n) = (b mod n). This is written as

a ≡ b mod n.

Examples: 73 ≡ 4 mod 23 21 ≡ -9 mod 10

Properties:

(i) a ≡ b mod n if n|(a-b) (Note: n|x means n divides x.) (ii) if (a + b) ≡ (a + c) mod n then b ≡ c mod n

(iii) if (a x b) ≡ (a x c) mod n then b ≡ c mod n, if a is relatively prime to n (iv) For a prime number p, let Zp be the set as defined above.

For each w  Zp, w ≠ 0,

Multiplicative inverse of w (denoted by w-1_{) is z  Z}

Fermat’s Theorem/ Euler’s Totient Function

(n)

• If p is a prime and a is a +ve integer not divisible p, then

a

p-1

≡

1 mod p 

Fermat’s Theorem

• An alternative form of the theorem

If p is prime and a is any positive integer, then

a

p

≡

a mod p

• For a positive integer n, (n) is the number of positive

integers less than n and relatively prime to n.

84

Euler’s Theorem

• For every a and n that are relatively prime:

a

(n)

≡ 1 mod n

Example: a = 3; n = 10; (n=10) = (2x5) = (2-1)x(5-1) = 4;

3

4

= 81 ≡ 1 mod 10

• An alternative form of the theorem

a

(n) + 1

_{≡ a mod n}

• Important result: p and q are primes; n = pq and

m an integer, 0 < m < n

Public-key cryptography: Extended Euclid’s Alg.

• Euclid’s algorithm finds gcd(m, b)

• If gcd(m, b) = 1, then b has a b

-1

, such that

bb

-1

≡ 1 mod m

(b

-1

is called the multiplicative inverse of b.)

• Algorithm

1. (A1, A2, A3)  (1, 0, m); (B1, B2, B3)  (0, 1, b) 2. if B3 = 0 return A3 = gcd(m, b); no inverse

3. if B3 = 1 return B3 = gcd(m, b); B2 holds

b

-1 4. Q = A3/B3